WO2005045741A2 - System and method for name resolution - Google Patents

System and method for name resolution Download PDF

Info

Publication number
WO2005045741A2
WO2005045741A2 PCT/US2004/024341 US2004024341W WO2005045741A2 WO 2005045741 A2 WO2005045741 A2 WO 2005045741A2 US 2004024341 W US2004024341 W US 2004024341W WO 2005045741 A2 WO2005045741 A2 WO 2005045741A2
Authority
WO
WIPO (PCT)
Prior art keywords
user
computer system
documents
machine location
identity information
Prior art date
Application number
PCT/US2004/024341
Other languages
French (fr)
Other versions
WO2005045741A3 (en
Inventor
Murli Satagopan
Kim Cameron
Original Assignee
Microsoft Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=34522412&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=WO2005045741(A2) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Priority to CA002501466A priority Critical patent/CA2501466A1/en
Priority to AU2004279198A priority patent/AU2004279198B2/en
Priority to BR0406385-6A priority patent/BRPI0406385A/en
Priority to KR1020057007527A priority patent/KR101109371B1/en
Priority to MXPA05006610A priority patent/MXPA05006610A/en
Application filed by Microsoft Corporation filed Critical Microsoft Corporation
Priority to CN2004800013097A priority patent/CN1820264B/en
Priority to JP2006536581A priority patent/JP5065682B2/en
Priority to EP04779407.8A priority patent/EP1625511B1/en
Priority to EP14000362.5A priority patent/EP2728489B1/en
Publication of WO2005045741A2 publication Critical patent/WO2005045741A2/en
Publication of WO2005045741A3 publication Critical patent/WO2005045741A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4547Network directories; Name-to-address mapping for personal communications, i.e. using a personal identifier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/30Types of network names
    • H04L2101/37E-mail addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/65Telephone numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1061Peer-to-peer [P2P] networks using node-based peer discovery mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Definitions

  • the present invention relates to publishing documents and information stored on individual machines, or nodes, in a distributed network and sharing these documents with other nodes in the network. More particularly, the present invention relates to systems and methods for providing another user access to such published documents.
  • IP Internet Protocol
  • IP Address is a unique string of numbers that identifies a computer on the Internet. IP addresses contain 32-bits, organized into four sets of three-digit numbers between 0 and 255, which are separated by periods, like this: 123.123.023.002. All machines on the Intemet must have an IP address and no two computer systems may have the same IP address at the same time. IP addresses may be dynamic or static. A static IP address is one that is permanently assigned to a computer system - it is the only IP address used by that system. A dynamic IP address is one that is assigned on the fly from a group of IP addresses assigned to an organization, for example. Although no IP address can be used for two computer systems at the same time, each computer system may use a multitude of different IP addresses.
  • IP addresses are not user-friendly because they contain only numbers with no readily understandable meaning. For this reason, it is nearly impossible for people to remember their own IP addresses, let alone the IP addresses of machines belonging to other people.
  • DNS Domain Name System
  • the Domain Name System makes it easier to find machine locations by allowing a familiar string of letters (the "domain name") to be used instead of the arcane IP address. So instead of remembering and typing 66.201.69.207, users can type www.microsoft.com. Domain names are also used for reaching e-mail addresses and for other Internet applications.
  • the domains names are resolved, i.e., converted from the domain name to the IP address, through a service hosted on a number of servers located throughout the Internet.
  • DNS has at least two limitations.
  • Public keys are associated with a particular person and consist of a long string of bytes, for example 32 numbers and letters, such as KP12JSP2345L1298FE23KLKSERQOC38S. Public keys are typically used to enable users of an unsecure public network, such as the Intemet, to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority.
  • Public key cryptography is the most common method on the Internet for authenticating a message sender or encrypting a message.
  • Public keys may he obtained in a number of ways. For example, a public key may be created and assigned by an operating system when a person creates a user account on a computer system. Alternatively, in public key cryptography, a public key and private key are created simultaneously using the same algorithm by a certificate authority. Public keys are connected to machine locations through use of the peer name resolution protocol ("PNRP"), which stores each person's public key with their current location in a publicly available table or some other searchable data structure. Thus, if you know a person's public key, one may use PNRP to determine its associated current machine location, which is usually in the form of an IP address.
  • PNRP peer name resolution protocol
  • a public key is a string of many bits that have no meaning and even harder to memorize than the IP address itself.
  • Yet another way to determine a machine location involves receiving (such as through email) a link that incorporates or contains the machine location. When the link is selected, the browser automatically enters the IP address or public key associated with the link into the browser.
  • an accessing principal would need to save the email and find and open it every time the accessing node wanted to access the publishing node's resources. This is time consuming, cumbersome, and wastes storage capacity on the accessing machine.
  • the invention may be implemented as a computer process, a computing system or as an article of manufacture such as a computer program product or computer readable media.
  • the computer program product may be a computer storage media readable by a computer system and encoding a computer program of instructions for executing a computer process.
  • the computer program product may also be a propagated signal on a carrier readable by a computing system and encoding a computer program of instructions for executing a computer process.
  • the present invention relates to accessing and publishing documents between two computer systems or nodes that are connected together in a network environment and more particularly relates to a system and method for name resolution between a user-friendly handle signifying identity with a machine location where the documents are stored, so that network users may easily access these documents through knowledge of the user-friendly handle.
  • a user's documents may be accessed through use of a user- friendly handle identifying the user and a path name that describes the documents of interest, which are resolved to a machine location where the documents are stored.
  • An email address is an exemplary example of a user-friendly handle and an IP address or public key are exemplary examples of machine locations.
  • a method of accessing documents stored on a first publishing computer system through a second accessing computer system begins when an identity information document from the first computer system is stored on the second computer system.
  • the identity information document has, at a minimum, a user-friendly handle identifying a principal and a machine location for the first computer system.
  • the second computer system replaces the user-friendly handle with the machine location and sends the amended request to the machine location of the first computer system.
  • This method allows the second computer system to access documents on the first computer system with knowledge only on the user-friendly handle. Knowledge of the machine location, IP address, or public key for the first computer system is not necessary.
  • the present invention relates to a method of publishing documents between a plurality of nodes connected in a network environment. The method begins by sending an identity information document from a publishing node to an accessing node.
  • the identity information document includes at least a user-friendly handle identifying a principal and a machine location for the publishing node.
  • the identity information document is thereafter stored on the accessing node.
  • the present invention relates to a computer system comprising a storage module for storing an identity information document received from a second computer system and a name resolution module connected to the storage module.
  • the name resolution module intercepts requests for access to documents stored at the user-friendly handle of the identity information document and amends the request to replace the user-friendly handle with the machine location from the identity information document.
  • the present invention relates a computer readable medium encoding a computer program of instructions for executing a computer process for name resolution.
  • the process starts with a store operation storing an identity information document from a publishing computer system.
  • an intercept operation intercepts an initial request for access to documents stored on the publishing computer system when the initial request contains the user-friendly handle.
  • an amend operation amends the request to replace the user-friendly handle with the machine location.
  • Fig. 1 illustrates a communication or distributed network of nodes that incorporates aspects of the present invention.
  • Fig. 2 illustrates a computer system that may be used according to particular aspects of the present invention.
  • Fig. 3 illustrates the structure of an identity information documents according to particular aspects of the present invention.
  • Fig. 4 illustrates a representation of the software environment according to aspects of the present invention.
  • Fig. 5 illustrates a flow chart of operational characteristics of the present invention with respect to an accessing node.
  • Fig. 6 illustrates a flow chart of operational characteristics of an alternative embodiment of the present invention with respect an accessing node and a publishing node.
  • Fig. 7 illustrates a flow chart of operational characteristics of yet alternative embodiment of the present invention with respect an accessing node and a publishing node.
  • FIG. 1 A distributed environment 100 incorporating aspects of the present invention is shown in Fig. 1.
  • the environment 100 has at least one computer system 102 and potentially other computer systems such as 108, 110, and 152, wherein the various computer systems are referred to as "nodes” or “machines.”
  • a "computer system” shall be construed broadly and is defined as “one or more devices or machines that execute programs for displaying and manipulating text, graphics, symbols, audio, video, and/or numbers.”
  • Nodes in the network may be any type of computer system, including, without limitation, a telephone such as node 108, a PDA such as node 110, a desktop computer such as nodes 102 and 152, a lap top computer (not shown), and many others.
  • nodes 102, 108, 110 and 152 may alternatively be computer processes within a computer system.
  • the nodes 102, 108, 110 and 152 may combine a combination of separate computer systems distributed across a local area network, a wide area network, or a combination of separate network communications.
  • each of the computer systems 102, 108, 110 and 152 are considered nodes within the environment 100 capable of communicating with other nodes within the environment 100 and sharing documents, information, and resources with other network nodes.
  • the nodes may communicate via separate protocols such as TCP/IP or other network and/or communication protocols, implemented over networks such as the Internet 106.
  • the separate nodes 102, 108, 110 and 152 may in fact be in communication with other nodes via other indirect ways. Indeed, the connections shown in 100 merely indicate that a node may communicate with another node. Communication between machines 102, 108, 110 and 152 maybe achieved, as stated, by many communication protocols.
  • the definition of a communication used herein relates to the transfer of a message, an event, or any other information from one node to another.
  • the nodes of environment 100 may be able to communicate with all other nodes in the network 100, but such a requirement is not necessary.
  • the first node In order to communicate information from a first node to a second node, the first node needs the machine location or some other identifying information for the accessing node. Using the machine location, the sending node may send the information using any transfer protocol. Although only four nodes 102, 108, 110 and 152 are shown in Fig. 1, the network environment may include other nodes. Indeed, the number of nodes for environment 100 may be quite extensive incorporating thousands, to tens of thousands of nodes or more. Hence, the present invention is beneficial in scaling the environment 100 as needed so that practically any number of nodes may communicate information according to the present invention.
  • the present invention relates to a user-friendly system and method for publishing or sharing resources stored on one network node, the "publishing node,” with another network node, the "accessing node.”
  • Computer system 102 is an example of a publishing node and includes a database 104 having data organized into one or more directories, or folders, such as folders 118, 120, 122, and 124.
  • the database 104 relates to a generic file system or other organized data system for storing and retrieving electronic documents.
  • the database 104 may include any type of data or file, which will be referred to herein as "documents.”
  • documents should be construed broadly and may include, but is not limited to, photographs, video clips, audio clips, text files, presentations, software code, or any other personal resource stored on a computer system.
  • the documents may be organized within the database in any way, including without limitation, in folders and subfolders with descriptive names.
  • folder 118 may contain "jpeg” files and be entitled “photos”
  • folder 120 may contain audio clips and be labeled music
  • folder 122 may contain "mpeg” files and be labeled video
  • folder 124 may contain executable code and be labeled "software.”
  • the ellipse 126 indicates that there may be generally any number of folders in database 104 containing any types of documents. Although only one database 104 is shown, ellipse 128 indicates that the machine 102 may have more than one database that is organized in the same way or a different way than database 104.
  • the database 104 may be specific to a principal user of the machine and stored in that principal's profile located in the machine 102.
  • Principals should be construed broadly and defined as any entity capable of acting digitally. Principals include without limitation individual people, groups or sets of people meaning individuals, households, organizations, explicit groups, and people in common roles or people who share attributes of some kind as well as the various electronic devices through which these individuals act. Another principal may have a different database stored in machine 102 that is only accessible by that principal. Computer system 102 additionally maintains a set of self-identity information 130 that comprises a variety of information about the principal represented by or using the computer system 102. This information, for example, may include a name, email address, website URL, physical mailing address, machine location for the principal's computer system, and other personal information as well as a usage policy describing how this information may be used.
  • identity claims include at least a user-friendly handle identifying the computer system 102 and a machine location.
  • Computer system 102 is capable of creating an identity information document 116 containing some or all of the self-identity information 130 and sending the identity information document 116 to any other node in the environment 100 as shown by the dashed arrows 132 in Fig. 1.
  • identity information document shall mean a subset of identity information for a principal transmitted from one machine to another so as to allow the device that receives the identity information document to recognize the principal and the principal's associated digital events. Details of one possible format for the identity information document 116 will be discussed below with reference to FIG. 3.
  • the identity information document 116 may be in a format suitable for transferring information between disparate systems across various types of channels.
  • the channel used to transfer the identity information document 116 from the computer system 102 to a receiving system, such as computer system 152, can be any of a variety of possible media. For example, email, instant messaging, beaming, and many other mechanisms may be used as channels. Further, the channel may or may not be secure.
  • the computer system 152 is an example of a accessing node and contains a control module 154 that reads the incoming identity information document 116 and accepts it or rejects it depending upon different variables. For example, if the identity information document 116 originates from a known principal, the computer system 152 will accept and store the identity information document 116.
  • the computer system 152 may reject the identity information document 116 or seek further verification of its authenticity.
  • the identity information document 116 is accepted, the identity claims it contains are added to a recognized identity information database 156 of the computer system 152, which may use this information to verify and authenticate the computer system 102 in the future and employ channels of interacting with that principal that may not otherwise be trusted.
  • the principal represented by the identity information document 116 may then, for example, be verified and given access to resources on the computer system 152 such as documents stored in a database like the database 104 of the computer system 102.
  • the computer system 152 accepts and stores the identity information document 116 in its database 156, it will be able to use the identity claims for the principal of the computer system 102 to more easily and quickly access the documents contained in the database 104 of the computer system 102 as will be explained in detail with reference to FIGS. 4-6.
  • the computer system 152 has a resolution module 160 that intercepts requests to access documents on computer system 102, which requests may come from a principal using the computer system 152 or may happen automatically.
  • the initial request from the principal includes a user-friendly handle, e.g., the user friendly handle identity claim from the computer system 102.
  • the resolution module 160 translates the user-friendly handle into a machine location, also received from the computer system 102, and enters the appropriate information into the web browser of the computer system 152, which, in turn, accesses the requested data on the computer system 102. Because of the resolution operation of the resolution module 160, the principal of the computer system 152 does not have to remember the machine location, IP address or public key for the computer system 102, but instead needs only to remember the user-friendly handle (and an associated path).
  • computer system 152 also contains self-identity information (not shown) and the computer system 102 also contains a control module (not shown) and a recognized identity database (not shown), hi order for the principal of computer system 152 to access the documents in the database 104 of computer system 102, the principal of computer system 152 must send its own identity information document 158 to computer system 102 before he or she will be given access to documents in database 104. In other words, there must be a mutual exchange of identity information documents 116 and 158 for a principal of computer system 152 to easily request and gain access to the documents in the database 104.
  • the computer system 102 may not require any verification or authentication process and may allow any accessing principal to access the documents contained in the database 104.
  • Fig. 2 shows a computer system 200 that may represent one of the nodes, such as 102 or 152 shown in Fig. 1, which receives and disseminates information and publishes and shares documents in accordance with the present invention.
  • the system 200 has at least one processor 202 and a memory 204.
  • the processor 202 uses memory 204 to store documents in databases, such as database 104, self- identity information 130, and recognized identity database 156. In its most basic configuration, computing system 200 is illustrated in Fig.
  • system 200 may also include additional storage (removable and or non-removable) including, but not limited to, magnetic or optical disks or tape.
  • additional storage is illustrated in Fig. 2 by removable storage 208 and non-removable storage 210.
  • Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
  • Memory 204, removable storage 208 and non-removable storage 210 are all examples of computer storage media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by system 200. Any such computer storage media may be part of system 200.
  • memory 204 maybe volatile, non- volatile or some combination of the two.
  • System 200 may also contain communications connection(s) 212 that allow the device to communicate with other devices, such as other nodes 108, 110 or 152 shown in Fig. 1.
  • system 200 may have input device(s) 214 such as keyboard, mouse, pen, voice input device, touch input device, etc.
  • Output device(s) 216 such as a display, speakers, printer, etc. may also be included. All these devices are well known in the art and need not be discussed at length here.
  • Computer system 200 typically includes at least some form of computer readable media.
  • Computer readable media can be any available media that can be accessed by system 200.
  • Computer readable media may comprise computer storage media and communication media. Computer storage media has been described above.
  • Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
  • modulated data signal means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer readable media.
  • Fig. 3 illustrates an exemplary format for an identity infomiation document 300 that may represent one or both of the identity information documents 116 and 158 shown in Fig. 1.
  • the identity information document 300 is a collection of identity claims and other attribute/property claims that may be bound to a public key and governed by an embedded use policy.
  • XML may be used as the encoding language for the identity information document.
  • other formats are considered equally suitable.
  • the elements of the identity information document 300 may also be optionally encrypted if they contain information whose confidentiality must be maintained.
  • the data within the identity information document 300 can be divided into two categories, including a set of logical components 302 and a set of attribute tags 316.
  • the identity information document 300 has six principal logical components: 1) a principal identifier 304; 2) one or more identity claims of the principal 306; 3) a display name and zero or more selectively disclosed attributes of the principal 308; 4) one or more keys 310 for the principal enveloped in any acceptable formats (for example public keys in X509v3 certificates); 5) a use policy that expresses the principal's privacy requirements 312; and 6) a digital signature over the entire content of the identity information that protects the integrity of the data and authenticates the sender in the case of identity information updates 314.
  • Each of these six logical components 302 are discussed in turn below.
  • the principal identifier 304 is a user-friendly handle that identifies the principal that is the principal of the identity claims contained in the identity information document 300.
  • the preferred principal identifier 304 is the principal's email address if the principal is a person.
  • the principal identifier should be construed broadly as any type of user- friendly handle that uniquely identifies a principal and may include, but is not limited to, email addresses, telephone numbers, mobile phone numbers, etc.
  • Identity claims 306 include additional structured information relating to the principal that is the subject of the identity information document.
  • Identity claims should be construed broadly as descriptive information about a principal that may include, but are not limited to, physical mailing addresses, telephone and facsimile numbers, employer information, date of birth, etc.
  • a telephone number may be a valid identity claim for one person.
  • a cell phone number, a direct dial work number or a home number may be a valid identity claim for someone who does not share a cell phone, a direct dial work number or who lives alone.
  • a telephone may not be a valid identity claim for a single person, such as a home phone number shared by a family of people. In such a case the home telephone number could be an identity claim to represent the household, but not one individual.
  • the machine location 308 provides a unique address for the principal's computer system, and may include without limitation, an IP address or a public key.
  • the machine location 308 may actually include a list of machine locations if a principal has more than one computer system or if the computer system is mobile, such as a laptop computer system or a PDA. In one embodiment, each machine location may contain a list of documents stored at that machine location.
  • the machine location 308 may include an IP address for each of the first and second computer systems and an indication that "photos" are stored at the machine location for the first computer system and that "music" is stored at the machine location for the second computer system.
  • the keys portion 310 contains one or more keys, such as public keys encapsulated within a certificate format (for example, X509v3 certificates).
  • the keys 310 can be public keys and can be included in the identity information as recognition infomrationf or the subj ect of the identity information.
  • the use policy 312 conveys the principal's instructions about permissible uses for the contents of the identity information document 300. For example, the use policy 312 may indicate that the contents of the identity information should not be divulged to others.
  • a recipient's recognized identity information database such as database 156 in Fig. 1, will store the use policy along with the rest of the information defining the principal.
  • the digital signature 314 provides a principal with the ability to sign data within the identity information document. XML signatures have three ways of relating a signature to a document: enveloping, enveloped, and detached.
  • the identity information document uses XML enveloped signatures when signing the identity information content.
  • the identity information document 300 can carry six or more attributes tags 316 relating to the identity information document 316 itself.
  • the attribute tags may include an ID value for the identity information document 300, version information for the document 300 and/or the principal type that the document 300 represents, e.g., a person, computer or organization. Other attribute tags may also be employed.
  • the identity information document is stored in a generalized manner on the primary computer system, such as systems 102 and 402 described above in conjunction with Figs. 1 and 4, respectively.
  • Fig. 4 illustrates the functional components related to accessing and sharing or publishing documents between two or more computer systems 402 and 450. That is, Fig.
  • Fig. 4 represents software components or modules according to aspects of the present invention.
  • Fig. 4 illustrates a publishing node or computer system 402 and an accessing node or computer system 452 and their associated modules used to publish and access documents according to the present invention.
  • Computer system 402 has among other modules that are not shown, the following components: 1) a database 404; 2) an identity information document module 414; 3) a user-interface module 416; 4) a verification and publish module 418; 5) a memory access module 420; 6) a communication module 422; and (vii) a self-identity information database 424.
  • the database 404 contains documents that may be organized into folders 406, 408, 410, and 412. In this example, these documents represent the documents to be published to the system 452 and thus accessed by system 452.
  • the user-interface module 416 allows the principal of the computer system
  • the memory access module 420 allows the computer system 402 and/or the principal to access data stored on the system, such as data contained in the database 402 and/or data contained in the self-identity information database 424.
  • the computer system 402 may access the memory access module 420 through other modules, such as the identity information document module 414 or the verification and publish module 418.
  • the principal uses the user-interface module 416 to control the memory access module 414.
  • the identity information document module 414 creates identity information documents, such as the identity information document 300 shown in Fig. 3, by using the memory access module 414 retrieve to pull data from the self-identity information database 424.
  • the identity information document module 414 may create an identity information document upon a command from the principal through the user interface module 416 or may alternatively create identity information documents through a standardized procedure without a direct command from the principal.
  • the identity information document module 414 transfers the identity information document to the communication module 422 for communication to other nodes in the network. In other embodiments, the identity information document is simply stored in memory, and, upon request, the document is transmitted to another system via communication module 422.
  • the conimunication module 422 controls communications between the computer system 402 and other nodes of the network, including both sending and receiving information to or from other network nodes, such as computer system 452.
  • the principal controls the commumcation module 422 through the user- interface module 416 and may through this process command that the identity information document be sent to other computer systems, such as computer system 452.
  • the communication module 422 also allows the principal to send other types of information, such as email, to other nodes of the network.
  • the verification and publication module 420 receives requests to access and publish documents, such as those in database 404, from other network nodes through the communications module 422.
  • the verification and publication module 422 performs a gate-keeping function and attempts to verify that the accessing computer system has permission from the principal to receive the published documents. If permission exists, the verification and publication module 420 uses the memory access module 420 to retrieve the requested documents and publishes the documents by sending them to the communication module 422 for communication to the accessing computer system. If permission does not exist, the verification and publication module 420 denies the request to publish, which is communicated to the accesser through the communication module 422. In an alternative embodiment, the verification and publication module 420 does not act as a gate-keeper, but rather retrieves and publishes all requested documents.
  • Computer system 452 is an example of an accessing node, similar to node
  • a communication module 454 contains the following components: 1) a communication module 454; 2) a verification module 460; 3) a storage module 458; 4) a name resolution module 456; and 5) a user-interface module 462.
  • the user-interface module 462 allows the principal of the computer system 452 to access and control any of the other modules including without limitation, the communication module 422. So, for example the principal of system 452 might use the user-interface module 416 to direct the communications module 422 to send a request to publish documents to the publishing node 402.
  • the conimunication module 454 controls communications between the computer system 452 and other nodes of the network, including both sending and receiving information from other network nodes, such as computer system 402.
  • the communication module 454 is responsible for forwarding identity information documents that it receives from other network nodes to the verification module 460.
  • the verification module 460 is responsible for translating identity information documents and determining whether they come from a trusted source, a trusted channel, or can otherwise be authenticated. If the identity information document is accepted, the verification module transfers the identity information document to the storage module 458.
  • the verification module 460 relates to some function of control module 154 in Fig. 1 in that it reads the incoming identity information document 116 and accepts it or rejects it depending upon different variables.
  • the storage module 458 stores the identity information document for later uses by the computer system 452. As with the verification module 460, the storage module 458 also performs some of the functions of the control module 154 shown and described in conjunction with Fig. 1 in that it stores accepted identity information documents. / Finally, the name resolution module 456 is responsible for intercepting a request to access published documents from another network node in the form of a user-friendly handle from the communications module 454. As discussed above, the request most likely comes from the principal via the user-interface module 462. The name resolution module 456 further is responsible for searching the storage module 458 for an identity information document with a principal identifier (such as principal identifier 304 in Fig.
  • a principal identifier such as principal identifier 304 in Fig.
  • the name resolution module 456 is similar to resolution module 160 from Fig. 1 in that it that intercepts requests to access documents from an accessing node, translates the user-friendly handle into a machine location for the publishing node, and enters the appropriate information into the web browser of the computer system 152, which, in turn, accesses the requested data on the publishing node.
  • Fig. 5 shows a method for publishing documents located on a publishing computer system, such as computer system 102 in Fig. 1 or 402 in Fig.
  • Flow 500 generally relates to the process performed by accessing node.
  • Flow 500 begins with store operation 502, wherein an identify information document, such as one from a publishing node, is stored in a location on the accessing computer system, such as in a recognized identity database 156 from Fig. 1.
  • an identify information document such as one from a publishing node
  • the identity information document received will contain at a minimum a user-friendly handle identifying the principal of the publishing system, such as an email address, and a machine location for the principal's computer system, such as an IP address.
  • intercept operation 504 intercepts an initial request to access published documents that are stored on the publishing node.
  • the request may be one initiated by the principal of the accessing node, one initiated by another modules within the accessing computer system, or an automatic request.
  • the request will be in the form of or contain a user-friendly handle identifying the principal of the publishing node or the publishing node itself. For example, the request may be to access documents located at an e-mail address.
  • search operation 506 searches previously received and stored identity information documents to determine whether a principal identifier matches the user- friendly handle received in the request operation 504. If the system is unable to locate a matching identity information document in step 506, the flow 500 branches NO 507 which notifies the principal or other module that the request has failed. Upon notifying the principal that the request failed, process 500 ends.
  • search operation 506 locates the matching identity information document, i.e., one that has a principal identifier that matches the e-mail address received at step 504, flow 500 braches YES to determination operation 508.
  • Determination operation 508 determines the machine location, which is included in identity information document located in step 506.
  • resolution operation 510 replaces the user-friendly handle, e.g., the email address with the machine location, e.g., IP address 123.123.023.002.
  • send operation 512 sends the request to publish documents in the form of the machine location, rather than the user-friendly handle, to the publishing node.
  • Steps 506 and 508-512 happen behind the scenes and are not revealed to the principal. Rather, it appears to the principal that his or her request for access to the published documents is delivered in the form of the user-friendly handle, the email address, and not the meaningless machine location. In this way, a principal may access documents located on a different computer system through knowledge only of a user-friendly handle identifying the principal of the publishing computer system. The principal of the accessing system does not need to know or remember cumbersome numbers, such as IP addresses, to access these documents.
  • Fig. 6 likewise shows a method for publishing documents located on a publishing computer system, but shows both the processes performed by the publishing node, such as computer system 102 or 402, and the accessing node, such as computer system 152 or 452.
  • Flow 600 begins with deliver operation 602, which delivers to another node, such as the accessing node, a path name for a location of one or more documents and a user-friendly handle identifying the principal of the publishing node.
  • deliver operation might comprise an email message from the principal of the publishing node, whose name is Bob, that says: "check out my photos at bob@xyz.com/photos.”
  • the principal may send the path name and user-friendly handle to the accessing node or principal via a telephone call, faxed document, or by some other means.
  • Flow 600 moves to receive operation 604 where the accessing machine receives the path name for documents and user- friendly handle identifying the principal of the publishing machine.
  • send operation 606 sends the accessing node an identity information document for the principal of the publishing machine, in this example, Bob's identity information document.
  • Receive operation 608 receives Bob's identity information document, followed by store operation 609, which stores the identity information document in a recognized identity database, similar to database 156 described and shown in conjunction with Fig. 1.
  • verification operation occurs after receive operation 608 and before store operation 609. Verification operation attempts to authenticate the principal represented by the identity information document and makes a decision about whether or not to accept and store the identity information document.
  • intercept operation 610 intercepts an initial request for access to documents.
  • the initial request may originate from a principal or some ' other source and seeks to gain access to documents at a user-friendly handle/path location, such as bob@xyz.com/photos.
  • resolution operation 612 resolves the initial request to create an amended request by substituting the user-friendly handle with a machine location using the process described in detail in Fig. 5, namely finding a matching identity information document, determining the machine location, and substituting the machine location for the user-friendly handle.
  • parse operation (not shown) separates the user- friendly handle and the path name and searches for a match only with the user- friendly handle portion of the initial request.
  • parse operation would drop "/photos" and search for a principal identifier with Bob's email at bob@xyz.com.
  • the principal's identity information document includes more than one machine location and an additional search operation (not shown) search each of the machine locations in the identity information document to determine which machine location contains the path name included in the intercepted request.
  • the resolution operation 612 then substitutes the machine location that corresponds with the path name set forth in the initial request.
  • send operation 614 sends the amended request for published documents using the machine location instead of the user-friendly handle. If a path name is involved, send operation 614 further includes a request to access documents located at that path.
  • flow 600 shifts back to the publishing machine at receive operation 616, receiving the amended request to access documents at the specified path, in this case, the photos folder, such as folder 118 in Fig. 1.
  • verification operation 618 determines whether the principal of the accessing node is authorized to view the requested documents. If the accessing principal is not authorized, flow 600 braches NO deny operation 620, which denies the request for access to documents and the process ends. If the accessing principal is authorized, flow 600 branches YES to locate operation 622 which locates the requested documents using the path name included in send operation 614. Finally, publish operation 624 published the requested documents and flow 600 ends.
  • verification operation 618 checks to determine whether the accessing principal is listed in a recognized identity database, that is, whether the accessing principal has previously sent the publishing node his or her identity information document. If the answer is yes, verification operation 618 branches YES to locate operation 622. Thus, in this embodiment a mutual exchange of identity information documents is required for documents to be published by one machine to another. This is the most secure way to publish documents. In an alternative embodiment of the present invention, verification operation 618 does not require that the accessing principal send its identity information document. Instead, verification operation 618 may consider other variable in determining whether to allow access to the requested documents or verification operation 618 and deny operation 620 may be omitted from flow 600 altogether.
  • flow 600 would proceed from receive operation 616 directly to location operation 622.
  • the publishing machine may decide that it will allow anyone with its identity information document to access documents on its system. Although this method is simpler than the last, it is not as secure as requiring a mutual exchange of identity information documents.
  • notify operation notifies the accessing node that the request for access to documents has been denied.
  • another send operation may send the publishing node an identity information document representing the accessing node or its principal and start the process over at intercept operation 610. If the publishing node has received the accessing node's identity information document, flow 600 is more likely to branch YES to location operation 622 than to branch NO to deny operation 620.
  • the machine location portion of the identity information document may contain a public key rather than an IP address.
  • a "public key” should be construed broadly and be defined as a code unique to a principal consisting of numbers and/or letters with no recognized meaning. The foregoing system and methods would work as described above with one exception, described below.
  • PNRP peer name resolution protocol
  • PNRP generally consists of a distributed system of knowledge including hashes of public keys and current machine locations. Thus the public key is used to find a principal's "current" machine location.
  • current machine location should be construed broadly to mean a machine location at a given point in time. For example, if a computer system uses a dynamic IP address, its current machine location may change from a first point in time to second, later point in time. Use of a public key and PNRP will allow an accessing node to access documents from a publishing node even if the publishing node is using a dynamic IP address. Alternatively, a current machine location may change if the machine is mobile, such as a lap top computer system or a PDA. PNRP is capable of tracking current machine locations for mobile machines as well.
  • a public key and PNRP will allow an accessing node to access documents from a publishing node even if the publishing node is mobile. If a public key is used as the machine location, the accessing node must know the publishing node's public key in order to gain access to the publishing node's documents. The only way for the accessing node to get the publishing node's public key is for the publishing node to send the accessing node its key. In this way, the publishing node is able to effectively control those who are able to access its resources by controlling to whom it sends its public key. Fig.
  • Flow 700 begins with a register operation registering an encrypted machine name, a host domain, and an associated registered machine location with a conventional DNS server.
  • DNS servers generally store a table with machine names appended to host domains along with a corresponding registered machine location, such as an IP address.
  • Network users use the DNS server to look up the registered IP addresses for specific machines.
  • an "encrypted machine name” shall mean a public key that has been changed into a secret code that people cannot understand or use on normal equipment.
  • One way to create an encrypted machine name is to apply an algorithm to the public key.
  • deliver operation 706 delivers a path name for a location of one or more documents and a user-friendly handle identifying the principal of the publishing node.
  • Flow 700 moves to receive operation 706 where the accessing machine receives the path name for documents and user-friendly handle identifying the principal of the publishing machine.
  • send operation 708 sends the accessing node an identity information document for the principal of the publishing machine.
  • the identity information document includes at least a principal identifier, a public key, and a domain host for the principal of the publishing node.
  • Receive operation 610 receives the identity information document, followed by store operation 712, which stores the identity information document in a recognized identity database, similar to database 156 described and shown in conjunction with Fig. 1.
  • intercept operation 712 intercepts an initial request for access to documents.
  • the initial request may originate from a principal or some other source and seeks to gain access to documents at a user-friendly handle/path location.
  • resolution operation 714 resolves the user-friendly handle in the initial request with a public key and domain host set forth in an identity information document with a principal identifier that matches the user-friendly handle using the process described in detail in Fig. 5.
  • convert operation 718 performs a computation on the public key to convert it to the encrypted machine name and append operation 720 appends the encrypted machine name to the domain host.
  • the convert operation comprises performing an algorithm on the public key, wherein the algorithm is the same algorithm used by the publishing node in register operation 702.
  • the algorithm may be a standard algorithm used commonly by many network nodes, or may be a specific algorithm that was received by the accessing node in some other way.
  • Flow 700 then moves to lookup operation 722, which uses the encrypted machine name/domain host combination to look up the registered machine location on a DNS server.
  • lookup operation 722 uses the encrypted machine name/domain host combination to look up the registered machine location on a DNS server.
  • amend operation 724 amends the initial request to substitute the user-friendly handle with the registered machine location and sends the amended request for published documents using the registered machine location instead of the user-friendly handle.
  • send operation 614 further includes a request to access documents located at that path.
  • the benefit of using the method illustrated by flow 700 is that it allows a publishing machine to employ additional security measures while utilizing conventional DNS servers.
  • DNS addresses are publicly available and potential hackers can use the DNS servers to learn a publishing node's machine name and machine location. Hackers may then use this information to gain unauthorized access to a publishing node's resources.
  • Registering an encrypted machine name with the DNS server prevents hackers from learning the publishing node's machine name, but makes it more difficult for authorized user's to gain access to the publishing node's resources.
  • Process 700 allows authorized accessing nodes to access the publishing node's resources with knowledge only of the user- friendly handle.
  • the publishing node does not need to know the unfriendly encrypted machine name or domain host in order to access the publishing node's resources. Security is enhanced because the accessing node must receive the publishing node's identity information document in order to utilize the name resolution method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

In accordance with various aspects, the present invention relates to accessing and publishing documents between two computer systems or nodes that are connected together in a network environment. The system and method for name resolution stores an identity information document containing a user-friendly handle signifying identity, such as an email address, and a machine location, such as an IP address, for the publishing computer system where the documents are stored. Next, the system and method intercepts an initial request for access to documents when the initial request includes a user-friendly handle and replaces the user-friendly handle with the machine location, so that network users may easily access these documents through knowledge only of the user-friendly handle.

Description

SYSTEM AND METHOD FOR NAME RESOLUTION
Field of the Invention The present invention relates to publishing documents and information stored on individual machines, or nodes, in a distributed network and sharing these documents with other nodes in the network. More particularly, the present invention relates to systems and methods for providing another user access to such published documents.
Background of the Invention hi distributed networks or systems having many connected nodes or processes, the ability to share files, documents, and information between nodes of the network is important. There are several conventional ways that users may share files and documents, including posting the documents on web servers, where access may be open to anyone or restricted to pre-approved users by a password protection system. The problem with this system is two-fold. First, it typically requires a third party, such as a web-hosting service, to maintain the documents on a server computer, which generally requires an initial set up fee and recurring maintenance fees.
Second, the involvement of a third party inherently reduces the user's control over the files or documents stored on the web server. Another way to share files among users of a distributed network is for a user who wishes to share files ("the publisher") with another user ("the accesser") to provide the accesser with his or her machine location, and a path name on the machine where the documents are stored. The accesser accesses the publisher's documents by entering the machine location and path name into a web browser or other access program to reach the publisher's machine. In this situation, the publisher's machine typically provides a security system that pemiits access only to approved accessing users. In order to enter the machine location, the user must know the same. One method of entering the machine location involves entering an Internet Protocol ("IP") address. An "IP Address" is a unique string of numbers that identifies a computer on the Internet. IP addresses contain 32-bits, organized into four sets of three-digit numbers between 0 and 255, which are separated by periods, like this: 123.123.023.002. All machines on the Intemet must have an IP address and no two computer systems may have the same IP address at the same time. IP addresses may be dynamic or static. A static IP address is one that is permanently assigned to a computer system - it is the only IP address used by that system. A dynamic IP address is one that is assigned on the fly from a group of IP addresses assigned to an organization, for example. Although no IP address can be used for two computer systems at the same time, each computer system may use a multitude of different IP addresses. IP addresses are not user-friendly because they contain only numbers with no readily understandable meaning. For this reason, it is nearly impossible for people to remember their own IP addresses, let alone the IP addresses of machines belonging to other people. The Domain Name System (DNS) makes it easier to find machine locations by allowing a familiar string of letters (the "domain name") to be used instead of the arcane IP address. So instead of remembering and typing 66.201.69.207, users can type www.microsoft.com. Domain names are also used for reaching e-mail addresses and for other Internet applications. The domains names are resolved, i.e., converted from the domain name to the IP address, through a service hosted on a number of servers located throughout the Internet. However, DNS has at least two limitations. First, it requires the use of third party equipment, the DNS servers, to handle the name resolution. Second, it is not very secure because almost anyone can determine a specific machine name and location for any computer system. Therefore, the conventional DNS is not a very effective method for publishing resources on a computer system. Another way to get a machine location is to use a public key. Public keys are associated with a particular person and consist of a long string of bytes, for example 32 numbers and letters, such as KP12JSP2345L1298FE23KLKSERQOC38S. Public keys are typically used to enable users of an unsecure public network, such as the Intemet, to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. Public key cryptography is the most common method on the Internet for authenticating a message sender or encrypting a message. Public keys may he obtained in a number of ways. For example, a public key may be created and assigned by an operating system when a person creates a user account on a computer system. Alternatively, in public key cryptography, a public key and private key are created simultaneously using the same algorithm by a certificate authority. Public keys are connected to machine locations through use of the peer name resolution protocol ("PNRP"), which stores each person's public key with their current location in a publicly available table or some other searchable data structure. Thus, if you know a person's public key, one may use PNRP to determine its associated current machine location, which is usually in the form of an IP address. However, like an IP address, a public key is a string of many bits that have no meaning and even harder to memorize than the IP address itself. Yet another way to determine a machine location involves receiving (such as through email) a link that incorporates or contains the machine location. When the link is selected, the browser automatically enters the IP address or public key associated with the link into the browser. Unfortunately however, an accessing principal would need to save the email and find and open it every time the accessing node wanted to access the publishing node's resources. This is time consuming, cumbersome, and wastes storage capacity on the accessing machine. The invention may be implemented as a computer process, a computing system or as an article of manufacture such as a computer program product or computer readable media. The computer program product may be a computer storage media readable by a computer system and encoding a computer program of instructions for executing a computer process. The computer program product may also be a propagated signal on a carrier readable by a computing system and encoding a computer program of instructions for executing a computer process. These and various other features as well as advantages, which characterize the present invention, will be apparent from a reading of the following detailed description and a review of the associated drawings. Summary of the Invention The present invention relates to accessing and publishing documents between two computer systems or nodes that are connected together in a network environment and more particularly relates to a system and method for name resolution between a user-friendly handle signifying identity with a machine location where the documents are stored, so that network users may easily access these documents through knowledge of the user-friendly handle. In other words, a user's documents may be accessed through use of a user- friendly handle identifying the user and a path name that describes the documents of interest, which are resolved to a machine location where the documents are stored. An email address is an exemplary example of a user-friendly handle and an IP address or public key are exemplary examples of machine locations. The computer system or node where the documents are stored is referred to as the publishing computer system or node and the computer system that seeks to access documents stored on the publishing node is referred to as the accessing computer system or node. hi accordance with particular aspects, a method of accessing documents stored on a first publishing computer system through a second accessing computer system begins when an identity information document from the first computer system is stored on the second computer system. The identity information document has, at a minimum, a user-friendly handle identifying a principal and a machine location for the first computer system. When an initial request for access to documents containing the user-friendly handle is made, it is intercepted by the second computer system. The second computer system replaces the user-friendly handle with the machine location and sends the amended request to the machine location of the first computer system. This method allows the second computer system to access documents on the first computer system with knowledge only on the user-friendly handle. Knowledge of the machine location, IP address, or public key for the first computer system is not necessary. In accordance with other aspects, the present invention relates to a method of publishing documents between a plurality of nodes connected in a network environment. The method begins by sending an identity information document from a publishing node to an accessing node. The identity information document includes at least a user-friendly handle identifying a principal and a machine location for the publishing node. The identity information document is thereafter stored on the accessing node. When an initial request for access to documents is made from the accessing node to the publishing node, the user-friendly handle is resolved with the machine location. Next, the amended request for access to documents is sent from the accessing node to the machine location of the publishing node. In accordance with still other aspects, the present invention relates to a computer system comprising a storage module for storing an identity information document received from a second computer system and a name resolution module connected to the storage module. The name resolution module intercepts requests for access to documents stored at the user-friendly handle of the identity information document and amends the request to replace the user-friendly handle with the machine location from the identity information document. In accordance with still other aspects, the present invention relates a computer readable medium encoding a computer program of instructions for executing a computer process for name resolution. The process starts with a store operation storing an identity information document from a publishing computer system. Next an intercept operation intercepts an initial request for access to documents stored on the publishing computer system when the initial request contains the user-friendly handle. Last, an amend operation amends the request to replace the user-friendly handle with the machine location.
Brief Description of the Drawings Fig. 1 illustrates a communication or distributed network of nodes that incorporates aspects of the present invention. Fig. 2 illustrates a computer system that may be used according to particular aspects of the present invention. Fig. 3 illustrates the structure of an identity information documents according to particular aspects of the present invention. Fig. 4 illustrates a representation of the software environment according to aspects of the present invention. Fig. 5 illustrates a flow chart of operational characteristics of the present invention with respect to an accessing node. Fig. 6 illustrates a flow chart of operational characteristics of an alternative embodiment of the present invention with respect an accessing node and a publishing node. Fig. 7 illustrates a flow chart of operational characteristics of yet alternative embodiment of the present invention with respect an accessing node and a publishing node. Detailed Description of the Preferred Embodiment A distributed environment 100 incorporating aspects of the present invention is shown in Fig. 1. The environment 100 has at least one computer system 102 and potentially other computer systems such as 108, 110, and 152, wherein the various computer systems are referred to as "nodes" or "machines." As used herein, a "computer system" shall be construed broadly and is defined as "one or more devices or machines that execute programs for displaying and manipulating text, graphics, symbols, audio, video, and/or numbers." Nodes in the network may be any type of computer system, including, without limitation, a telephone such as node 108, a PDA such as node 110, a desktop computer such as nodes 102 and 152, a lap top computer (not shown), and many others. Further, although shown as computer systems, nodes 102, 108, 110 and 152 may alternatively be computer processes within a computer system. Alternatively, the nodes 102, 108, 110 and 152 may combine a combination of separate computer systems distributed across a local area network, a wide area network, or a combination of separate network communications. As stated, each of the computer systems 102, 108, 110 and 152 are considered nodes within the environment 100 capable of communicating with other nodes within the environment 100 and sharing documents, information, and resources with other network nodes. Furthermore, the nodes may communicate via separate protocols such as TCP/IP or other network and/or communication protocols, implemented over networks such as the Internet 106. That is, although shown as connected by seemingly direct arrows, the separate nodes 102, 108, 110 and 152 may in fact be in communication with other nodes via other indirect ways. Indeed, the connections shown in 100 merely indicate that a node may communicate with another node. Communication between machines 102, 108, 110 and 152 maybe achieved, as stated, by many communication protocols. The definition of a communication used herein relates to the transfer of a message, an event, or any other information from one node to another. In an embodiment, the nodes of environment 100 may be able to communicate with all other nodes in the network 100, but such a requirement is not necessary. In order to communicate information from a first node to a second node, the first node needs the machine location or some other identifying information for the accessing node. Using the machine location, the sending node may send the information using any transfer protocol. Although only four nodes 102, 108, 110 and 152 are shown in Fig. 1, the network environment may include other nodes. Indeed, the number of nodes for environment 100 may be quite extensive incorporating thousands, to tens of thousands of nodes or more. Hence, the present invention is beneficial in scaling the environment 100 as needed so that practically any number of nodes may communicate information according to the present invention. The present invention relates to a user-friendly system and method for publishing or sharing resources stored on one network node, the "publishing node," with another network node, the "accessing node." Computer system 102 is an example of a publishing node and includes a database 104 having data organized into one or more directories, or folders, such as folders 118, 120, 122, and 124. The database 104 relates to a generic file system or other organized data system for storing and retrieving electronic documents. As such, the database 104 may include any type of data or file, which will be referred to herein as "documents." The term "documents" should be construed broadly and may include, but is not limited to, photographs, video clips, audio clips, text files, presentations, software code, or any other personal resource stored on a computer system. The documents may be organized within the database in any way, including without limitation, in folders and subfolders with descriptive names. For example, folder 118 may contain "jpeg" files and be entitled "photos," folder 120 may contain audio clips and be labeled music, folder 122 may contain "mpeg" files and be labeled video, and folder 124 may contain executable code and be labeled "software." The ellipse 126 indicates that there may be generally any number of folders in database 104 containing any types of documents. Although only one database 104 is shown, ellipse 128 indicates that the machine 102 may have more than one database that is organized in the same way or a different way than database 104. For example, the database 104 may be specific to a principal user of the machine and stored in that principal's profile located in the machine 102. As used herein, a "principal" should be construed broadly and defined as any entity capable of acting digitally. Principals include without limitation individual people, groups or sets of people meaning individuals, households, organizations, explicit groups, and people in common roles or people who share attributes of some kind as well as the various electronic devices through which these individuals act. Another principal may have a different database stored in machine 102 that is only accessible by that principal. Computer system 102 additionally maintains a set of self-identity information 130 that comprises a variety of information about the principal represented by or using the computer system 102. This information, for example, may include a name, email address, website URL, physical mailing address, machine location for the principal's computer system, and other personal information as well as a usage policy describing how this information may be used. Each of these different, identifying elements will be referred to hereafter as identity claims. Importantly, the set of identity claims include at least a user-friendly handle identifying the computer system 102 and a machine location. Computer system 102 is capable of creating an identity information document 116 containing some or all of the self-identity information 130 and sending the identity information document 116 to any other node in the environment 100 as shown by the dashed arrows 132 in Fig. 1. As used herein, "identity information document" shall mean a subset of identity information for a principal transmitted from one machine to another so as to allow the device that receives the identity information document to recognize the principal and the principal's associated digital events. Details of one possible format for the identity information document 116 will be discussed below with reference to FIG. 3. However, generally speaking, the identity information document 116 may be in a format suitable for transferring information between disparate systems across various types of channels. The channel used to transfer the identity information document 116 from the computer system 102 to a receiving system, such as computer system 152, can be any of a variety of possible media. For example, email, instant messaging, beaming, and many other mechanisms may be used as channels. Further, the channel may or may not be secure. The computer system 152 is an example of a accessing node and contains a control module 154 that reads the incoming identity information document 116 and accepts it or rejects it depending upon different variables. For example, if the identity information document 116 originates from a known principal, the computer system 152 will accept and store the identity information document 116. However, if an identity information document 116 arrives from an unknown principal, or if there is a fear that impostors have sufficient motivation to open and modify or forge the identity information document 152, the computer system 152 may reject the identity information document 116 or seek further verification of its authenticity. In an embodiment, once the identity information document 116 is accepted, the identity claims it contains are added to a recognized identity information database 156 of the computer system 152, which may use this information to verify and authenticate the computer system 102 in the future and employ channels of interacting with that principal that may not otherwise be trusted. The principal represented by the identity information document 116 may then, for example, be verified and given access to resources on the computer system 152 such as documents stored in a database like the database 104 of the computer system 102. Additionally, after the computer system 152 accepts and stores the identity information document 116 in its database 156, it will be able to use the identity claims for the principal of the computer system 102 to more easily and quickly access the documents contained in the database 104 of the computer system 102 as will be explained in detail with reference to FIGS. 4-6. In general however, the computer system 152 has a resolution module 160 that intercepts requests to access documents on computer system 102, which requests may come from a principal using the computer system 152 or may happen automatically. The initial request from the principal includes a user-friendly handle, e.g., the user friendly handle identity claim from the computer system 102. The resolution module 160 translates the user-friendly handle into a machine location, also received from the computer system 102, and enters the appropriate information into the web browser of the computer system 152, which, in turn, accesses the requested data on the computer system 102. Because of the resolution operation of the resolution module 160, the principal of the computer system 152 does not have to remember the machine location, IP address or public key for the computer system 102, but instead needs only to remember the user-friendly handle (and an associated path). In one embodiment of the present invention, computer system 152 also contains self-identity information (not shown) and the computer system 102 also contains a control module (not shown) and a recognized identity database (not shown), hi order for the principal of computer system 152 to access the documents in the database 104 of computer system 102, the principal of computer system 152 must send its own identity information document 158 to computer system 102 before he or she will be given access to documents in database 104. In other words, there must be a mutual exchange of identity information documents 116 and 158 for a principal of computer system 152 to easily request and gain access to the documents in the database 104. Alternatively, the computer system 102 may not require any verification or authentication process and may allow any accessing principal to access the documents contained in the database 104. In this case, only computer system 102 would need to send the identity information document 116 to computer system 152 in order for system 152 to access the database 104. That is, only a one-way exchange of identity information documents, from the publishing node to the accessing node, is needed. Fig. 2 shows a computer system 200 that may represent one of the nodes, such as 102 or 152 shown in Fig. 1, which receives and disseminates information and publishes and shares documents in accordance with the present invention. The system 200 has at least one processor 202 and a memory 204. The processor 202 uses memory 204 to store documents in databases, such as database 104, self- identity information 130, and recognized identity database 156. In its most basic configuration, computing system 200 is illustrated in Fig. 2 by dashed line 206. Additionally, system 200 may also include additional storage (removable and or non-removable) including, but not limited to, magnetic or optical disks or tape. Such additional storage is illustrated in Fig. 2 by removable storage 208 and non-removable storage 210. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Memory 204, removable storage 208 and non-removable storage 210 are all examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by system 200. Any such computer storage media may be part of system 200. Depending on the configuration and type of computing device, memory 204 maybe volatile, non- volatile or some combination of the two. System 200 may also contain communications connection(s) 212 that allow the device to communicate with other devices, such as other nodes 108, 110 or 152 shown in Fig. 1. Additionally, system 200 may have input device(s) 214 such as keyboard, mouse, pen, voice input device, touch input device, etc. Output device(s) 216 such as a display, speakers, printer, etc. may also be included. All these devices are well known in the art and need not be discussed at length here. Computer system 200 typically includes at least some form of computer readable media. Computer readable media can be any available media that can be accessed by system 200. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media has been described above. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer readable media. Fig. 3 illustrates an exemplary format for an identity infomiation document 300 that may represent one or both of the identity information documents 116 and 158 shown in Fig. 1. As a data structure, the identity information document 300 is a collection of identity claims and other attribute/property claims that may be bound to a public key and governed by an embedded use policy. XML may be used as the encoding language for the identity information document. However, other formats are considered equally suitable. The elements of the identity information document 300 may also be optionally encrypted if they contain information whose confidentiality must be maintained. The data within the identity information document 300 can be divided into two categories, including a set of logical components 302 and a set of attribute tags 316. The identity information document 300 has six principal logical components: 1) a principal identifier 304; 2) one or more identity claims of the principal 306; 3) a display name and zero or more selectively disclosed attributes of the principal 308; 4) one or more keys 310 for the principal enveloped in any acceptable formats (for example public keys in X509v3 certificates); 5) a use policy that expresses the principal's privacy requirements 312; and 6) a digital signature over the entire content of the identity information that protects the integrity of the data and authenticates the sender in the case of identity information updates 314. Each of these six logical components 302 are discussed in turn below. The principal identifier 304 is a user-friendly handle that identifies the principal that is the principal of the identity claims contained in the identity information document 300. The preferred principal identifier 304 is the principal's email address if the principal is a person. However, the principal identifier should be construed broadly as any type of user- friendly handle that uniquely identifies a principal and may include, but is not limited to, email addresses, telephone numbers, mobile phone numbers, etc. Identity claims 306 include additional structured information relating to the principal that is the subject of the identity information document. Identity claims should be construed broadly as descriptive information about a principal that may include, but are not limited to, physical mailing addresses, telephone and facsimile numbers, employer information, date of birth, etc. Even more particularly, "identity claims" are uniquely true about one entity (a person, an organization, etc). Thus, in some instances, a telephone number may be a valid identity claim for one person. For example, a cell phone number, a direct dial work number or a home number may be a valid identity claim for someone who does not share a cell phone, a direct dial work number or who lives alone. In other cases, a telephone may not be a valid identity claim for a single person, such as a home phone number shared by a family of people. In such a case the home telephone number could be an identity claim to represent the household, but not one individual. The machine location 308 provides a unique address for the principal's computer system, and may include without limitation, an IP address or a public key. Like a physical street address, the machine location is necessary to locate, connect to, and or communicate with a computer system within a distributed network. The machine location 308 may actually include a list of machine locations if a principal has more than one computer system or if the computer system is mobile, such as a laptop computer system or a PDA. In one embodiment, each machine location may contain a list of documents stored at that machine location. For example, if a principal has a first computer system storing jpeg files at a "photos" path name and a second computer system storing sound recordings at a "music" path name, the machine location 308 may include an IP address for each of the first and second computer systems and an indication that "photos" are stored at the machine location for the first computer system and that "music" is stored at the machine location for the second computer system. The keys portion 310 contains one or more keys, such as public keys encapsulated within a certificate format (for example, X509v3 certificates). The keys 310 can be public keys and can be included in the identity information as recognition infomrationf or the subj ect of the identity information. If a certificate is used, it may be self-signed or issued by a certificate authority. The use policy 312 conveys the principal's instructions about permissible uses for the contents of the identity information document 300. For example, the use policy 312 may indicate that the contents of the identity information should not be divulged to others. A recipient's recognized identity information database, such as database 156 in Fig. 1, will store the use policy along with the rest of the information defining the principal. The digital signature 314 provides a principal with the ability to sign data within the identity information document. XML signatures have three ways of relating a signature to a document: enveloping, enveloped, and detached.
According to one embodiment of the present invention, the identity information document uses XML enveloped signatures when signing the identity information content. The identity information document 300 can carry six or more attributes tags 316 relating to the identity information document 316 itself. Although not shown, the attribute tags may include an ID value for the identity information document 300, version information for the document 300 and/or the principal type that the document 300 represents, e.g., a person, computer or organization. Other attribute tags may also be employed. In an embodiment, the identity information document is stored in a generalized manner on the primary computer system, such as systems 102 and 402 described above in conjunction with Figs. 1 and 4, respectively. Fig. 4 illustrates the functional components related to accessing and sharing or publishing documents between two or more computer systems 402 and 450. That is, Fig. 4 represents software components or modules according to aspects of the present invention. In particular, Fig. 4 illustrates a publishing node or computer system 402 and an accessing node or computer system 452 and their associated modules used to publish and access documents according to the present invention. Computer system 402 has among other modules that are not shown, the following components: 1) a database 404; 2) an identity information document module 414; 3) a user-interface module 416; 4) a verification and publish module 418; 5) a memory access module 420; 6) a communication module 422; and (vii) a self-identity information database 424. Like the database 104 shown in Fig. 1, the database 404 contains documents that may be organized into folders 406, 408, 410, and 412. In this example, these documents represent the documents to be published to the system 452 and thus accessed by system 452. The user-interface module 416 allows the principal of the computer system
402 to access and control any of the other modules including without limitation, the memory access module 420, the identify information module 414, and the communication module 422. Although the present invention and in particular, the example shown in Fig. 4 contemplates user interaction on the system 402, such is not necessary to accomplish aspects of this invention. The memory access module 420 allows the computer system 402 and/or the principal to access data stored on the system, such as data contained in the database 402 and/or data contained in the self-identity information database 424. Alternatively, the computer system 402 may access the memory access module 420 through other modules, such as the identity information document module 414 or the verification and publish module 418. The principal uses the user-interface module 416 to control the memory access module 414. The identity information document module 414 creates identity information documents, such as the identity information document 300 shown in Fig. 3, by using the memory access module 414 retrieve to pull data from the self-identity information database 424. The identity information document module 414 may create an identity information document upon a command from the principal through the user interface module 416 or may alternatively create identity information documents through a standardized procedure without a direct command from the principal. The identity information document module 414 transfers the identity information document to the communication module 422 for communication to other nodes in the network. In other embodiments, the identity information document is simply stored in memory, and, upon request, the document is transmitted to another system via communication module 422. The conimunication module 422 controls communications between the computer system 402 and other nodes of the network, including both sending and receiving information to or from other network nodes, such as computer system 452. In general, the principal controls the commumcation module 422 through the user- interface module 416 and may through this process command that the identity information document be sent to other computer systems, such as computer system 452. The communication module 422 also allows the principal to send other types of information, such as email, to other nodes of the network. The verification and publication module 420 receives requests to access and publish documents, such as those in database 404, from other network nodes through the communications module 422. In one embodiment, the verification and publication module 422 performs a gate-keeping function and attempts to verify that the accessing computer system has permission from the principal to receive the published documents. If permission exists, the verification and publication module 420 uses the memory access module 420 to retrieve the requested documents and publishes the documents by sending them to the communication module 422 for communication to the accessing computer system. If permission does not exist, the verification and publication module 420 denies the request to publish, which is communicated to the accesser through the communication module 422. In an alternative embodiment, the verification and publication module 420 does not act as a gate-keeper, but rather retrieves and publishes all requested documents. Computer system 452 is an example of an accessing node, similar to node
152 of Fig. 1, and contains the following components: 1) a communication module 454; 2) a verification module 460; 3) a storage module 458; 4) a name resolution module 456; and 5) a user-interface module 462. Similar to the user-interface module 416, the user-interface module 462 allows the principal of the computer system 452 to access and control any of the other modules including without limitation, the communication module 422. So, for example the principal of system 452 might use the user-interface module 416 to direct the communications module 422 to send a request to publish documents to the publishing node 402. Like communication module 422, the conimunication module 454 controls communications between the computer system 452 and other nodes of the network, including both sending and receiving information from other network nodes, such as computer system 402. The communication module 454 is responsible for forwarding identity information documents that it receives from other network nodes to the verification module 460. The verification module 460 is responsible for translating identity information documents and determining whether they come from a trusted source, a trusted channel, or can otherwise be authenticated. If the identity information document is accepted, the verification module transfers the identity information document to the storage module 458. In essence, the verification module 460 relates to some function of control module 154 in Fig. 1 in that it reads the incoming identity information document 116 and accepts it or rejects it depending upon different variables. The storage module 458 stores the identity information document for later uses by the computer system 452. As with the verification module 460, the storage module 458 also performs some of the functions of the control module 154 shown and described in conjunction with Fig. 1 in that it stores accepted identity information documents. / Finally, the name resolution module 456 is responsible for intercepting a request to access published documents from another network node in the form of a user-friendly handle from the communications module 454. As discussed above, the request most likely comes from the principal via the user-interface module 462. The name resolution module 456 further is responsible for searching the storage module 458 for an identity information document with a principal identifier (such as principal identifier 304 in Fig. 3) that matches the intercepted user-friendly handle, amending the request to substitute or replace the user-friendly handle with the machine location set forth in the identity information document, and sending the request to publish documents in the form of the machine location back to the communication module 454. The name resolution module 456 is similar to resolution module 160 from Fig. 1 in that it that intercepts requests to access documents from an accessing node, translates the user-friendly handle into a machine location for the publishing node, and enters the appropriate information into the web browser of the computer system 152, which, in turn, accesses the requested data on the publishing node. Fig. 5 shows a method for publishing documents located on a publishing computer system, such as computer system 102 in Fig. 1 or 402 in Fig. 4, to an accessing computer system, such as computer system 152 in Fig. 1 or 452 in Fig. 4. Flow 500 generally relates to the process performed by accessing node. Flow 500 begins with store operation 502, wherein an identify information document, such as one from a publishing node, is stored in a location on the accessing computer system, such as in a recognized identity database 156 from Fig. 1. Like the identity information document 300 shown in Fig. 3, the identity information document received will contain at a minimum a user-friendly handle identifying the principal of the publishing system, such as an email address, and a machine location for the principal's computer system, such as an IP address. Sometime thereafter, intercept operation 504 intercepts an initial request to access published documents that are stored on the publishing node. The request may be one initiated by the principal of the accessing node, one initiated by another modules within the accessing computer system, or an automatic request. The request will be in the form of or contain a user-friendly handle identifying the principal of the publishing node or the publishing node itself. For example, the request may be to access documents located at an e-mail address. Next, search operation 506 searches previously received and stored identity information documents to determine whether a principal identifier matches the user- friendly handle received in the request operation 504. If the system is unable to locate a matching identity information document in step 506, the flow 500 branches NO 507 which notifies the principal or other module that the request has failed. Upon notifying the principal that the request failed, process 500 ends. At this time, the principal may re-enter the request or another, similar request to start the process over. If instead search operation 506 locates the matching identity information document, i.e., one that has a principal identifier that matches the e-mail address received at step 504, flow 500 braches YES to determination operation 508. Determination operation 508 determines the machine location, which is included in identity information document located in step 506. Following determination operation 508, resolution operation 510 replaces the user-friendly handle, e.g., the email address with the machine location, e.g., IP address 123.123.023.002. Next, send operation 512 sends the request to publish documents in the form of the machine location, rather than the user-friendly handle, to the publishing node. Steps 506 and 508-512 happen behind the scenes and are not revealed to the principal. Rather, it appears to the principal that his or her request for access to the published documents is delivered in the form of the user-friendly handle, the email address, and not the meaningless machine location. In this way, a principal may access documents located on a different computer system through knowledge only of a user-friendly handle identifying the principal of the publishing computer system. The principal of the accessing system does not need to know or remember cumbersome numbers, such as IP addresses, to access these documents. Fig. 6 likewise shows a method for publishing documents located on a publishing computer system, but shows both the processes performed by the publishing node, such as computer system 102 or 402, and the accessing node, such as computer system 152 or 452. Flow 600 begins with deliver operation 602, which delivers to another node, such as the accessing node, a path name for a location of one or more documents and a user-friendly handle identifying the principal of the publishing node. For example, send operation might comprise an email message from the principal of the publishing node, whose name is Bob, that says: "check out my photos at bob@xyz.com/photos." Alternatively, the principal may send the path name and user-friendly handle to the accessing node or principal via a telephone call, faxed document, or by some other means. Flow 600 moves to receive operation 604 where the accessing machine receives the path name for documents and user- friendly handle identifying the principal of the publishing machine. Next, send operation 606 sends the accessing node an identity information document for the principal of the publishing machine, in this example, Bob's identity information document. Receive operation 608 receives Bob's identity information document, followed by store operation 609, which stores the identity information document in a recognized identity database, similar to database 156 described and shown in conjunction with Fig. 1. In an alternative embodiment, verification operation (not shown) occurs after receive operation 608 and before store operation 609. Verification operation attempts to authenticate the principal represented by the identity information document and makes a decision about whether or not to accept and store the identity information document. Sometime thereafter, intercept operation 610 intercepts an initial request for access to documents. The initial request may originate from a principal or some ' other source and seeks to gain access to documents at a user-friendly handle/path location, such as bob@xyz.com/photos. Next, resolution operation 612 resolves the initial request to create an amended request by substituting the user-friendly handle with a machine location using the process described in detail in Fig. 5, namely finding a matching identity information document, determining the machine location, and substituting the machine location for the user-friendly handle. In an alterative embodiment, parse operation (not shown) separates the user- friendly handle and the path name and searches for a match only with the user- friendly handle portion of the initial request. For example, parse operation would drop "/photos" and search for a principal identifier with Bob's email at bob@xyz.com. In yet another alternative embodiment, the principal's identity information document includes more than one machine location and an additional search operation (not shown) search each of the machine locations in the identity information document to determine which machine location contains the path name included in the intercepted request. The resolution operation 612 then substitutes the machine location that corresponds with the path name set forth in the initial request. After completion of resolution operation 612, send operation 614 sends the amended request for published documents using the machine location instead of the user-friendly handle. If a path name is involved, send operation 614 further includes a request to access documents located at that path. At this point flow 600 shifts back to the publishing machine at receive operation 616, receiving the amended request to access documents at the specified path, in this case, the photos folder, such as folder 118 in Fig. 1. Next, verification operation 618 determines whether the principal of the accessing node is authorized to view the requested documents. If the accessing principal is not authorized, flow 600 braches NO deny operation 620, which denies the request for access to documents and the process ends. If the accessing principal is authorized, flow 600 branches YES to locate operation 622 which locates the requested documents using the path name included in send operation 614. Finally, publish operation 624 published the requested documents and flow 600 ends. In one embodiment of the present invention, verification operation 618 checks to determine whether the accessing principal is listed in a recognized identity database, that is, whether the accessing principal has previously sent the publishing node his or her identity information document. If the answer is yes, verification operation 618 branches YES to locate operation 622. Thus, in this embodiment a mutual exchange of identity information documents is required for documents to be published by one machine to another. This is the most secure way to publish documents. In an alternative embodiment of the present invention, verification operation 618 does not require that the accessing principal send its identity information document. Instead, verification operation 618 may consider other variable in determining whether to allow access to the requested documents or verification operation 618 and deny operation 620 may be omitted from flow 600 altogether. Rather, flow 600 would proceed from receive operation 616 directly to location operation 622. hi other words, the publishing machine may decide that it will allow anyone with its identity information document to access documents on its system. Although this method is simpler than the last, it is not as secure as requiring a mutual exchange of identity information documents. In yet another alternative embodiment, notify operation (not shown) notifies the accessing node that the request for access to documents has been denied. Upon notification, another send operation (not shown) may send the publishing node an identity information document representing the accessing node or its principal and start the process over at intercept operation 610. If the publishing node has received the accessing node's identity information document, flow 600 is more likely to branch YES to location operation 622 than to branch NO to deny operation 620. In further alternative embodiment of the present invention, the machine location portion of the identity information document may contain a public key rather than an IP address. As used herein, a "public key" should be construed broadly and be defined as a code unique to a principal consisting of numbers and/or letters with no recognized meaning. The foregoing system and methods would work as described above with one exception, described below. When a pubic key is used as a machine location in the identity information document, the public key is used to look up the principal's current machine location, which may be an IP address, using a peer name resolution protocol ("PNRP"). PNRP generally consists of a distributed system of knowledge including hashes of public keys and current machine locations. Thus the public key is used to find a principal's "current" machine location. As used herein, "current machine location" should be construed broadly to mean a machine location at a given point in time. For example, if a computer system uses a dynamic IP address, its current machine location may change from a first point in time to second, later point in time. Use of a public key and PNRP will allow an accessing node to access documents from a publishing node even if the publishing node is using a dynamic IP address. Alternatively, a current machine location may change if the machine is mobile, such as a lap top computer system or a PDA. PNRP is capable of tracking current machine locations for mobile machines as well. Further, use of a public key and PNRP will allow an accessing node to access documents from a publishing node even if the publishing node is mobile. If a public key is used as the machine location, the accessing node must know the publishing node's public key in order to gain access to the publishing node's documents. The only way for the accessing node to get the publishing node's public key is for the publishing node to send the accessing node its key. In this way, the publishing node is able to effectively control those who are able to access its resources by controlling to whom it sends its public key. Fig. 7 shows yet another embodiment of the present invention involving a method for publishing documents located on a publishing computer system, such as computer system 102 or 402, to an accessing computer system, such as computer system 152 or 452. Flow 700 begins with a register operation registering an encrypted machine name, a host domain, and an associated registered machine location with a conventional DNS server. DNS servers generally store a table with machine names appended to host domains along with a corresponding registered machine location, such as an IP address. Network users use the DNS server to look up the registered IP addresses for specific machines. As used herein, an "encrypted machine name" shall mean a public key that has been changed into a secret code that people cannot understand or use on normal equipment. One way to create an encrypted machine name is to apply an algorithm to the public key. Next, deliver operation 706 delivers a path name for a location of one or more documents and a user-friendly handle identifying the principal of the publishing node. Flow 700 moves to receive operation 706 where the accessing machine receives the path name for documents and user-friendly handle identifying the principal of the publishing machine. Sometime thereafter, send operation 708 sends the accessing node an identity information document for the principal of the publishing machine. The identity information document includes at least a principal identifier, a public key, and a domain host for the principal of the publishing node. Receive operation 610 receives the identity information document, followed by store operation 712, which stores the identity information document in a recognized identity database, similar to database 156 described and shown in conjunction with Fig. 1. Sometime thereafter, intercept operation 712 intercepts an initial request for access to documents. The initial request may originate from a principal or some other source and seeks to gain access to documents at a user-friendly handle/path location. Next, resolution operation 714 resolves the user-friendly handle in the initial request with a public key and domain host set forth in an identity information document with a principal identifier that matches the user-friendly handle using the process described in detail in Fig. 5. Next, convert operation 718 performs a computation on the public key to convert it to the encrypted machine name and append operation 720 appends the encrypted machine name to the domain host. In one embodiment, the convert operation comprises performing an algorithm on the public key, wherein the algorithm is the same algorithm used by the publishing node in register operation 702. The algorithm may be a standard algorithm used commonly by many network nodes, or may be a specific algorithm that was received by the accessing node in some other way. Flow 700 then moves to lookup operation 722, which uses the encrypted machine name/domain host combination to look up the registered machine location on a DNS server. After completion of lookup operation 722, amend operation 724 amends the initial request to substitute the user-friendly handle with the registered machine location and sends the amended request for published documents using the registered machine location instead of the user-friendly handle. If a path name is involved, send operation 614 further includes a request to access documents located at that path. The benefit of using the method illustrated by flow 700 is that it allows a publishing machine to employ additional security measures while utilizing conventional DNS servers. Normally, DNS addresses are publicly available and potential hackers can use the DNS servers to learn a publishing node's machine name and machine location. Hackers may then use this information to gain unauthorized access to a publishing node's resources. Registering an encrypted machine name with the DNS server prevents hackers from learning the publishing node's machine name, but makes it more difficult for authorized user's to gain access to the publishing node's resources. Process 700 allows authorized accessing nodes to access the publishing node's resources with knowledge only of the user- friendly handle. The publishing node does not need to know the unfriendly encrypted machine name or domain host in order to access the publishing node's resources. Security is enhanced because the accessing node must receive the publishing node's identity information document in order to utilize the name resolution method. Although the invention has been described in language specific to computer structural features, methodological acts and by computer readable media, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific structures, acts or media described. As an example, different formats other than XML may be used to encode identification information. Therefore, the specific structural features, acts and mediums are disclosed as exemplary embodiments implementing the claimed invention. Using the above described methods of name resolution, the present invention established that a user-friendly handle identifying the principal of the publishing machine may be associated with or resolve to a machine location so that the principal of the accessing machine need only know the user- friendly handle in order to access the requested documents on the publishing machine. Further the association process is transparent and occurs without the principal's knowledge or involvement. The above specification, examples and data provide a complete description of the manufacture and use of the composition of the invention. Since many embodiments of the invention can be made without departing from the spirit and scope of the invention, the invention resides in the claims hereinafter appended.

Claims

What is claimed is: 1. A method of accessing documents stored on a first computer system through a second computer system, the first and second computer systems connected in a network environment, said method comprising: storing an identity information document from the first computer system, the identity information document comprising a user-friendly handle identifying a principal and a machine location for the first computer system; intercepting a request for access to documents when the request is directed to the user-friendly handle; replacing the user-friendly handle with the machine location; and sending request for access to documents to the machine location of the first computer system.
2. The method of claim 1 wherein the user-friendly handle comprises an email address.
3. The method of claim 1 wherein the machine location comprises and IP address.
4. The method of claim 1 wherein the machine location comprises a public key.
5. The method of claim 1 wherein the request for access to documents comprises a principal-initiated request.
6. The method of claim 1 further comprising an initial step of receiving the identity information document from the first computer system.
7. A method of publishing documents between a plurality of nodes, the nodes connected in a network environment, said method comprising: sending an identity information document from a publishing node to an accessing node, the identity information document comprising a user-friendly handle identifying a principal and a machine location for the publishing node; storing the identity information document on the accessing node; resolving the user-friendly handle with the machine location in a request for access to documents, wherein the request is made from the accessing node to the publishing node; and sending the request for access to documents from the accessing node to the publishing node.
8. The method of claim 7 wherein the user-friendly handle comprises an email address.
9. The method of claim 7 wherein the user-friendly handle comprises a telephone number.
10. The method of claim 7 wherein the machine location comprises an IP address.
11. The method of claim 7 wherein the machine location comprises a public key.
12. The method of claim 11 further comprising: using the public key to determine the current machine location for the publishing node.
13. The method of claim 11 further comprising: registering an encrypted machine name and a registered machine location for the publishing node with a DNS server; resolving the user-friendly handle with the public key; converting the public key to the encrypted machine name; using the encrypted machine name to look up the registered machine location for the publishing node on the DNS server; and sending the request for access to documents to the registered machine location.
14. The method of claim 7 further comprising: verifying that the accessing node has authorization from the publishing node to review the requested documents before publishing the requested documents.
15. The method of claim 7 further comprising: delivering a path name for documents stored on the publishing node to the accessing node.
16. The method of claim 15 wherein the path name is delivered to the accessing node by email.
17. The method of claim 7 further comprising: delivering a path name for documents stored on the publishing node to a principal of the accessing node.
18. The method of claim 17 wherein the path name is delivered to the principal of the accessing node by a telephone call.
19. The method of claim 7 wherein the resolving step further comprises : intercepting the request for access to documents when the request is directed to the user-friendly handle; finding a matching identity information document having a user- friendly handle that matches the user-friendly handle in the request; determining the machine location from the matching identity information document; and amending the request to substitute the user-friendly handle with the machine location.
20. The method of 7 further comprising: delivering a path name combined with the user-friendly handle to the accessing node; and parsing the path name from the user-friendly handle prior to resolving the user-friendly handle with the machine location.
21. The method of claim 20 further comprising: adding the path name to the request for access to documents before sending the request to the publishing node.
22. The method of claim 7 wherein the identity information document further comprises more than one machine location for principal identified by the user-friendly handle.
23. A method of using a user-friendly handle to access documents stored on a first computer system in a network environment, the method comprising: storing an identity information document from the first computer system, the identity information document comprising a user-friendly handle identifying a principal and a machine location for the first computer system; intercepting a request for access to documents in the form of the user- friendly handle; amending the request to replace the user-friendly handle with the machine location; and sending the amended request to access the documents to the machine location of the first computer system.
24. The method of claim 23 wherein the user-friendly handle is an email address.
25. The method of claim 23 wherein the machine location comprises an IP address.
26. The method of claim 23 wherein the machine location comprises a public key.
27. The method of claim 26 further comprising: using the public key to determine the current machine location for the publishing node.
28. The method of claim 23 further comprising an initial step of: receiving the identity information document from the first computer system.
29. The method of claim 23 further comprising the step of receiving published documents from the first computer system.
30. A computer system comprising: a storage module for storing an identity information document received from a second computer system, the identity information document comprising a user-friendly handle identifying a principal and a machine location for the second computer system; and a name resolution module connected to the storage module for intercepting requests for access to documents stored at the user-friendly handle and amending the request to replace the user-friendly handle with the machine location.
31. The computer system of claim 30 wherein the user-friendly handle is an email address.
32. The computer system of claim 30 wherein the machine location comprises an IP address.
33. The computer system of claim 30 wherein the machine location comprises a public key.
34. The computer system of claim 30 further comprising: a communication module connected to the name resolution module for sending and receiving communications to and from the second computer system.
35. A computer readable medium encoding a computer program of instructions for executing a computer process for name resolution, said computer process comprising: storing an identity information document from a publishing computer system, the identity information document comprising a user-friendly handle identifying a principal and a machine location for the publishing computer system; intercepting a request for access to documents stored on the publishing computer system, wherein the request contains the user- friendly handle; and amending the request to replace the user- friendly handle with the machine location.
36. The computer process of claim 35 wherein the user-friendly handle comprises an email address.
37. The computer process of claim 35 wherein the machine location comprises an IP address.
38. The computer process of claim 35 wherein the machine location comprises a public key.
39. The computer process of claim 38 further comprising: using the public key to determine the current machine location for the publishing node.
40. The computer process of claim 38 further comprising: registering an encrypted machine name and a registered machine location for the publishing node with a DNS server; resolving the user- friendly handle with the public key; converting the public key to the encrypted machine name; using the encrypted machine name to look up the registered machine location for the publishing node on the DNS server; and sending the request for access to documents to the registered machine location.
41. The computer process of claim 40 wherein the converting step comprises performing an algorithm on the public key.
42. The computer process of claim 35 wherein the identity information document further comprises more than one machine location for principal identified by the user-friendly handle.
PCT/US2004/024341 2003-10-23 2004-07-29 System and method for name resolution WO2005045741A2 (en)

Priority Applications (9)

Application Number Priority Date Filing Date Title
EP14000362.5A EP2728489B1 (en) 2003-10-23 2004-07-29 System and method for name resolution
AU2004279198A AU2004279198B2 (en) 2003-10-23 2004-07-29 System and method for name resolution
BR0406385-6A BRPI0406385A (en) 2003-10-23 2004-07-29 System and method for name resolution
KR1020057007527A KR101109371B1 (en) 2003-10-23 2004-07-29 System and method for name resolution
MXPA05006610A MXPA05006610A (en) 2003-10-23 2004-07-29 System and method for name resolution.
CA002501466A CA2501466A1 (en) 2003-10-23 2004-07-29 System and method for name resolution
CN2004800013097A CN1820264B (en) 2003-10-23 2004-07-29 System and method for name resolution
JP2006536581A JP5065682B2 (en) 2003-10-23 2004-07-29 System and method for name resolution
EP04779407.8A EP1625511B1 (en) 2003-10-23 2004-07-29 System and method for name resolution

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/693,516 2003-10-23
US10/693,516 US8473634B2 (en) 2003-10-23 2003-10-23 System and method for name resolution

Publications (2)

Publication Number Publication Date
WO2005045741A2 true WO2005045741A2 (en) 2005-05-19
WO2005045741A3 WO2005045741A3 (en) 2005-12-22

Family

ID=34522412

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2004/024341 WO2005045741A2 (en) 2003-10-23 2004-07-29 System and method for name resolution

Country Status (11)

Country Link
US (1) US8473634B2 (en)
EP (2) EP1625511B1 (en)
JP (1) JP5065682B2 (en)
KR (1) KR101109371B1 (en)
CN (1) CN1820264B (en)
AU (1) AU2004279198B2 (en)
BR (1) BRPI0406385A (en)
CA (1) CA2501466A1 (en)
MX (1) MXPA05006610A (en)
RU (1) RU2373572C2 (en)
WO (1) WO2005045741A2 (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9715500B2 (en) * 2004-04-27 2017-07-25 Apple Inc. Method and system for sharing playlists
US8261058B2 (en) * 2005-03-16 2012-09-04 Dt Labs, Llc System, method and apparatus for electronically protecting data and digital content
US20070271136A1 (en) * 2006-05-19 2007-11-22 Dw Data Inc. Method for pricing advertising on the internet
US7995568B2 (en) * 2006-06-12 2011-08-09 International Business Machines Corporation Capturing user interface switch states
US7975143B2 (en) * 2006-06-12 2011-07-05 International Business Machines Corporation Method, system, and program product for generating and validating digital signatures
US8572751B2 (en) * 2006-06-12 2013-10-29 International Business Machines Corporation Method, system, and program product for preventing unauthorized changes to an electronic document
US20080126950A1 (en) * 2006-11-28 2008-05-29 Patrick Leo Glenski Smart Reply Function on Web Pages
US10552391B2 (en) * 2008-04-04 2020-02-04 Landmark Graphics Corporation Systems and methods for real time data management in a collaborative environment
US8806190B1 (en) 2010-04-19 2014-08-12 Amaani Munshi Method of transmission of encrypted documents from an email application
TWI441498B (en) * 2011-06-07 2014-06-11 Hon Hai Prec Ind Co Ltd Terminal device and method for exchanging voip signaling
US9961524B2 (en) * 2012-01-27 2018-05-01 Samsung Electronics Co., Ltd. Method and apparatus for efficient security management of disaster message in mobile communication system
WO2013143137A1 (en) * 2012-03-31 2013-10-03 France Telecom Research & Development Beijing Company Limited Content centric m2m system
KR102264992B1 (en) 2014-12-31 2021-06-15 삼성전자 주식회사 Method and Device for allocating a server in wireless communication system
WO2019005857A1 (en) * 2017-06-28 2019-01-03 Apple Inc. Entitlement system
US11501010B2 (en) 2020-05-20 2022-11-15 Snowflake Inc. Application-provisioning framework for database platforms
US11249988B2 (en) * 2020-05-20 2022-02-15 Snowflake Inc. Account-level namespaces for database platforms
US11593354B2 (en) 2020-05-20 2023-02-28 Snowflake Inc. Namespace-based system-user access of database platforms
CN115543924B (en) * 2022-11-29 2023-08-15 粤港澳大湾区数字经济研究院(福田) Task processing method and related device based on trusted management platform

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002075572A1 (en) 2001-03-20 2002-09-26 Worldcom, Inc. User aliases in a communication system

Family Cites Families (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4509119A (en) * 1982-06-24 1985-04-02 International Business Machines Corporation Method for managing a buffer pool referenced by batch and interactive processes
US4660169A (en) * 1983-07-05 1987-04-21 International Business Machines Corporation Access control to a shared resource in an asynchronous system
IT1227711B (en) * 1988-11-18 1991-05-06 Caluso Torino MULTIPROCESSOR SYSTEM FOR DATA PROCESSING TO SHARED DISTRIBUTED RESOURCES AND STALL PREVENTION.
US5222238A (en) * 1991-09-05 1993-06-22 International Business Machines Corp. System and method for shared latch serialization enhancement
DE69433372T2 (en) 1993-04-05 2004-10-14 Motorola, Inc., Schaumburg Selective call with several distributed outputs
US6119151A (en) 1994-03-07 2000-09-12 International Business Machines Corp. System and method for efficient cache management in a distributed file system
US5812776A (en) * 1995-06-07 1998-09-22 Open Market, Inc. Method of providing internet pages by mapping telephone number provided by client to URL and returning the same in a redirect command by server
GB9603582D0 (en) * 1996-02-20 1996-04-17 Hewlett Packard Co Method of accessing service resource items that are for use in a telecommunications system
US5872847A (en) * 1996-07-30 1999-02-16 Itt Industries, Inc. Using trusted associations to establish trust in a computer network
US6047376A (en) * 1996-10-18 2000-04-04 Toshiba Information Systems (Japan) Corporation Client-server system, server access authentication method, memory medium stores server-access authentication programs, and issuance device which issues the memory medium contents
US6026433A (en) * 1997-03-17 2000-02-15 Silicon Graphics, Inc. Method of creating and editing a web site in a client-server environment using customizable web site templates
US5937199A (en) * 1997-06-03 1999-08-10 International Business Machines Corporation User programmable interrupt mask with timeout for enhanced resource locking efficiency
US5991810A (en) * 1997-08-01 1999-11-23 Novell, Inc. User name authentication for gateway clients accessing a proxy cache server
US6092196A (en) * 1997-11-25 2000-07-18 Nortel Networks Limited HTTP distributed remote user authentication system
US6219694B1 (en) * 1998-05-29 2001-04-17 Research In Motion Limited System and method for pushing information from a host system to a mobile data communication device having a shared electronic address
WO2000074334A2 (en) 1999-05-27 2000-12-07 Internet Management Systems, Inc. Universal address system and mehtod
US7100195B1 (en) * 1999-07-30 2006-08-29 Accenture Llp Managing user information on an e-commerce system
US7131001B1 (en) * 1999-10-29 2006-10-31 Broadcom Corporation Apparatus and method for secure filed upgradability with hard wired public key
JP2001297027A (en) 2000-04-13 2001-10-26 Nec Corp Device and method for sharing data file
US7000012B2 (en) * 2000-04-24 2006-02-14 Microsoft Corporation Systems and methods for uniquely identifying networks by correlating each network name with the application programming interfaces of transport protocols supported by the network
JP3955181B2 (en) 2001-02-05 2007-08-08 株式会社エヌジェーケー How to share and use information peer-to-peer
JP4742427B2 (en) * 2001-02-05 2011-08-10 ソニー株式会社 Receiving device, receiving method, and name resolution method
JP2002278903A (en) 2001-03-15 2002-09-27 Sony Corp Information processor, information processing method, recording medium and program
US7065587B2 (en) * 2001-04-02 2006-06-20 Microsoft Corporation Peer-to-peer name resolution protocol (PNRP) and multilevel cache for use therewith
US7761326B2 (en) * 2001-04-20 2010-07-20 Nippon Telegraph And Telephone Corporation Token type content providing system and token type content providing method and portable user terminal
US20040117404A1 (en) * 2001-07-31 2004-06-17 Crivella Arthur R. System for utilizing audible, visual and textual data with alternative combinable multimedia forms of presenting information for real-time interactive use by multiple users in differnet remote environments
US6990495B1 (en) * 2001-09-05 2006-01-24 Bellsouth Intellectual Property Corporation System and method for finding persons in a corporate entity
US7171457B1 (en) * 2001-09-25 2007-01-30 Juniper Networks, Inc. Processing numeric addresses in a network router
US7373406B2 (en) * 2001-12-12 2008-05-13 Valve Corporation Method and system for effectively communicating file properties and directory structures in a distributed file system
JP2003218941A (en) 2002-01-23 2003-07-31 Murata Mach Ltd Communication apparatus and program
US6990465B1 (en) * 2002-01-25 2006-01-24 Accenture Global Services Gmbh Establishment of preferred business partners using a vendor certification program
US7139840B1 (en) * 2002-06-14 2006-11-21 Cisco Technology, Inc. Methods and apparatus for providing multiple server address translation
US7139828B2 (en) * 2002-08-30 2006-11-21 Ip Dynamics, Inc. Accessing an entity inside a private network
JP2004363685A (en) 2003-06-02 2004-12-24 Kazuo Oku Ubiquitous server system
JP2006053581A (en) 2005-09-30 2006-02-23 Fuji Xerox Co Ltd Image forming apparatus and its cartridge

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002075572A1 (en) 2001-03-20 2002-09-26 Worldcom, Inc. User aliases in a communication system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SAMDARSHI PALI, SETTING UP WEB SERVICES USING DYNAMIC DOMAIN NAME SERVER (DDNS, 28 July 2001 (2001-07-28)
See also references of EP1625511A4

Also Published As

Publication number Publication date
EP2728489A1 (en) 2014-05-07
EP1625511A4 (en) 2011-08-03
EP1625511B1 (en) 2014-03-05
AU2004279198A1 (en) 2005-06-30
AU2004279198A8 (en) 2008-09-18
US20050091402A1 (en) 2005-04-28
EP1625511A2 (en) 2006-02-15
CA2501466A1 (en) 2005-04-23
CN1820264A (en) 2006-08-16
JP5065682B2 (en) 2012-11-07
RU2005120234A (en) 2006-01-20
CN1820264B (en) 2011-06-29
BRPI0406385A (en) 2005-08-09
WO2005045741A3 (en) 2005-12-22
JP2007509574A (en) 2007-04-12
EP2728489B1 (en) 2020-02-12
RU2373572C2 (en) 2009-11-20
KR20060113352A (en) 2006-11-02
US8473634B2 (en) 2013-06-25
MXPA05006610A (en) 2005-08-16
KR101109371B1 (en) 2012-01-30
AU2004279198B2 (en) 2010-06-17

Similar Documents

Publication Publication Date Title
EP1682967B1 (en) Method and system for identity recognition
US8473634B2 (en) System and method for name resolution
RU2444054C2 (en) Peer-to-peer contact exchange
US20050114447A1 (en) Method and system for identity exchange and recognition for groups and group members
US7676829B1 (en) Multiple credentials in a distributed system
RU2346398C2 (en) System and method of transferring shortcut information from certificate used for encryptation operations
US20040205243A1 (en) System and a method for managing digital identities
US8245051B2 (en) Extensible account authentication system
JP4746053B2 (en) Apparatus and method for controlling personal data
US20070061456A1 (en) Data access control
US20070255815A1 (en) Software, Systems, and Methods for Secure, Authenticated Data Exchange
US20240314095A1 (en) Controlling communications based on control policies with blockchain associated rules and blockchain authorization
Carlisle Adams et al. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)
WO2007118256A2 (en) Software, systems, and methods for secure, authenticated data exchange

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2501466

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2006536581

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 1020057007527

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 1853/DELNP/2005

Country of ref document: IN

AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

WWE Wipo information: entry into national phase

Ref document number: 20048013097

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 2004279198

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 2004779407

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: PA/A/2005/006610

Country of ref document: MX

ENP Entry into the national phase

Ref document number: 2005120234

Country of ref document: RU

Kind code of ref document: A

WWP Wipo information: published in national office

Ref document number: 2004279198

Country of ref document: AU

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWP Wipo information: published in national office

Ref document number: 2004779407

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1020057007527

Country of ref document: KR