Paul Ashley, Ph.D.

A non-transitory computer readable storage medium has instructions executed by a processor to host a digital verified credential exchange in network communication with different verified credential operating environments. The digital verified credential exchange has a verified credential exchange engine in network communication with user and system interfaces for interacting with a verified credential holder machine, a credential database, a verified credential operating environment operating… Show more

A non-transitory computer readable storage medium has instructions executed by a processor to host a digital verified credential exchange in network communication with different verified credential operating environments. The digital verified credential exchange has a verified credential exchange engine in network communication with user and system interfaces for interacting with a verified credential holder machine, a credential database, a verified credential operating environment operating attributes database, an exchanged verified credential database, and an exchanged verified credential status monitor. The digital verified credential exchange automatically forms a reissued digital verified credential from a first verified credential operating environment for execution in a second verified credential operating environment. Show less

A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores instructions executed by the processor to record the purchase of a digital asset by a user at a client machine from a data source machine in network communication with the client machine. The location of the digital asset on one or more machines of the… Show more

A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores instructions executed by the processor to record the purchase of a digital asset by a user at a client machine from a data source machine in network communication with the client machine. The location of the digital asset on one or more machines of the networked machines is archived. The location is separate from the data source machine. The digital asset is associated with a data access policy. A request for the digital asset is received. The data access policy is enforced through programmatic control utilized by one or more of the networked machines to form a consent state. Distribution of the digital asset to a networked machine is authorized in response to the consent state. Show less

A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores instructions executed by the processor to record the purchase of a digital asset by a user at a client machine from a data source machine in network communication with the client machine. The location of the digital asset on one or more machines of the… Show more

A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores instructions executed by the processor to record the purchase of a digital asset by a user at a client machine from a data source machine in network communication with the client machine. The location of the digital asset on one or more machines of the networked machines is archived. The location is separate from the data source machine. The digital asset is associated with a data access policy. A request for the digital asset is received. The data access policy is enforced through programmatic control utilized by one or more of the networked machines to form a consent state. Distribution of the digital asset to a networked machine is authorized in response to the consent state. Show less

A non-transitory computer readable storage medium with instructions executed by a
processor maintains a digital wallet with digital identities. Each digital identity has persona
attributes, a persona address book, a persona password manager, a persona email service, and a
persona egress client specifying a persona egress location. A user is prompted to specify a
selected digital identity. Browser state for the selected digital identity is loaded.

A non-transitory computer readable storage medium has instructions executed by a
processor to maintain digital identities. Each digital identity has identity attributes different
than identity attributes associated with a real individual utilizing the digital identity. Each
digital identity has an associated attribute for compartmentalized network activity.
Interactions between the digital identities and a virtual card provider are supported to secure
virtual cards for the… Show more

A non-transitory computer readable storage medium has instructions executed by a
processor to maintain digital identities. Each digital identity has identity attributes different
than identity attributes associated with a real individual utilizing the digital identity. Each
digital identity has an associated attribute for compartmentalized network activity.
Interactions between the digital identities and a virtual card provider are supported to secure
virtual cards for the digital identities. Interactions between the digital identities and a persona
management application are brokered, including delivering the virtual cards for the digital
identities to the persona management application. Show less

A non-transitory computer readable storage medium has instructions executed by a
processor to maintain a digital wallet with digital identities. Each digital identity has
identity attributes different than identity attributes associated with a real individual utilizing
the digital identity, an associated attribute for compartmentalized network activity, a digital
identity key pair, and a designated block chain. Interactions between the digital identities of
the digital wallet and… Show more

A non-transitory computer readable storage medium has instructions executed by a
processor to maintain a digital wallet with digital identities. Each digital identity has
identity attributes different than identity attributes associated with a real individual utilizing
the digital identity, an associated attribute for compartmentalized network activity, a digital
identity key pair, and a designated block chain. Interactions between the digital identities of
the digital wallet and a digital identity services platform are supported. Show less

An apparatus has a processor and a memory connected to the processor. The
memory stores instructions executed by the processor to store identity attributes including
real identity attributes for a real individual and at least two sets of digital identity attributes
each operative as a personal privacy proxy with compartmental identity attributes. The at
least two sets of digital identity attributes each include a digital identity name, a digital
identity mobile device number and… Show more

An apparatus has a processor and a memory connected to the processor. The
memory stores instructions executed by the processor to store identity attributes including
real identity attributes for a real individual and at least two sets of digital identity attributes
each operative as a personal privacy proxy with compartmental identity attributes. The at
least two sets of digital identity attributes each include a digital identity name, a digital
identity mobile device number and a digital identity email address. The at least two sets of
digital identity attributes are evaluated to produce a similarity measure. The real individual is
provided with a recommendation based upon the similarity measure. Show less

An apparatus has a persona services platform in communication with a user device via a network and a selected isolation browser provider via the network. The persona services platform is configured to receive from the user device a request for an isolation browser. The selected isolation browser provider is designated from a pool of isolation browser providers. Isolation browser configuration information is requested from the selected isolation browser provider. The isolation browser… Show more

An apparatus has a persona services platform in communication with a user device via a network and a selected isolation browser provider via the network. The persona services platform is configured to receive from the user device a request for an isolation browser. The selected isolation browser provider is designated from a pool of isolation browser providers. Isolation browser configuration information is requested from the selected isolation browser provider. The isolation browser configuration information is augmented with persona specific configuration information to form complete isolation browser configuration information. The complete isolation browser configuration information is sent to the user device. Show less

This invention relates generally to communications in computer networks. More particularly, this invention is directed toward techniques for establishing trust of anonymous identities operating in computer networks.

This invention relates generally to communications in computer networks. More particularly, this invention is directed towards techniques for operating anonymous digital identities that can be connected to an owner’s legal identity only after a legal mandate is presented.

A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores cryptographically protected data, a data access policy and a steward group specifying individuals to administer the data access policy. The memory stores instructions executed by the processor to receive a request to access the cryptographically protected… Show more

A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores cryptographically protected data, a data access policy and a steward group specifying individuals to administer the data access policy. The memory stores instructions executed by the processor to receive a request to access the cryptographically protected data. Authentication tokens from individuals in the steward group are collected. It is determined that the authentication tokens satisfy the data access policy to establish a data access state. A decrypted version of the cryptographically protected data is supplied to one or more of the networked machines to establish a transaction. The transaction is recorded with a distributed ledger associated with at least a subset of the networked machines. Show less

An apparatus has a processor and a memory connected to the processor. The
memory stores instructions executed by the processor to store identity attributes including
real identity attributes for a real individual and a digital identity with digital identity data
attributes operative as a personal privacy proxy for the real individual. Website input forms
are automatically filled alternately using the real identity attributes and the digital identity
attributes.

An apparatus includes a processor and a memory connected to the processor. The
memory stores instructions executed by the processor to store identity attributes including
real identity attributes for a real individual and a digital identity with digital identity data
attributes operative as a personal privacy proxy for the real individual. A digital identity
management system is hosted to communicate with digital identity applications that observe a
common application program… Show more

An apparatus includes a processor and a memory connected to the processor. The
memory stores instructions executed by the processor to store identity attributes including
real identity attributes for a real individual and a digital identity with digital identity data
attributes operative as a personal privacy proxy for the real individual. A digital identity
management system is hosted to communicate with digital identity applications that observe a
common application program interface. Each digital identity application implements at least
one digital network function for the digital identity. Show less

An apparatus has a processor and memory connected to the processor. The memory stores instructions executed by the processor to store identity attributes including real identity attributes for a real individual an at least two sets of digital identity attributes each operative as a personal privacy proxy with compartmental identity attributes. The at least two sets of digital identity attribute include a first machine generated digital identity email address with a first role and a second… Show more

An apparatus has a processor and memory connected to the processor. The memory stores instructions executed by the processor to store identity attributes including real identity attributes for a real individual an at least two sets of digital identity attributes each operative as a personal privacy proxy with compartmental identity attributes. The at least two sets of digital identity attribute include a first machine generated digital identity email address with a first role and a second machine generated digital identity email address associated with a second role. Show less

A machine has a processor and a network interface circuit connected to the processor
to provide network connectivity to a client device. A memory is connected to the processor.
The memory stores instructions executed by the processor to implement a persona
management service that operates to receive a request for a new email account from the client
device. A new email account is created in response to the request. Cryptographic credentials
for the new email account are received… Show more

A machine has a processor and a network interface circuit connected to the processor
to provide network connectivity to a client device. A memory is connected to the processor.
The memory stores instructions executed by the processor to implement a persona
management service that operates to receive a request for a new email account from the client
device. A new email account is created in response to the request. Cryptographic credentials
for the new email account are received from the client device. The cryptographic credentials
are sent to a certificate authority. A certificate authority validation is received from the
certificate authority. The new email account with a cryptographic credential from the
certificate authority is registered. The cryptographic credential is conveyed to the client
device. Show less

A non-transitory computer readable storage medium has instructions executed
by a processor to host a proxy identity depot service application program interface to provide
communication channels for proxy identity enabled applications operative on client devices.
A proxy identity depot has a proxy identity management service, a proxy identity reputation
service and a proxy identity transfer service. The proxy identity depot includes proxy
identities for a real user, where each… Show more

A non-transitory computer readable storage medium has instructions executed
by a processor to host a proxy identity depot service application program interface to provide
communication channels for proxy identity enabled applications operative on client devices.
A proxy identity depot has a proxy identity management service, a proxy identity reputation
service and a proxy identity transfer service. The proxy identity depot includes proxy
identities for a real user, where each proxy identity has its own identity attributes to protect
primary identity attributes of the real user and thereby each proxy identity is operative as a
personal privacy proxy. Show less

A machine has a processor and a memory connected to the processor. The
memory stores instructions executed by the processor to allow a user to designate a selected
persona from a pool of potential personas, where each potential persona is associated with the
user and has a distinct set of computer network attributes. A virtual private network egress
point for the selected persona is designated, where the virtual private network egress point
masks computer network attributes of… Show more

A machine has a processor and a memory connected to the processor. The
memory stores instructions executed by the processor to allow a user to designate a selected
persona from a pool of potential personas, where each potential persona is associated with the
user and has a distinct set of computer network attributes. A virtual private network egress
point for the selected persona is designated, where the virtual private network egress point
masks computer network attributes of the selected persona. Contact with the virtual private
network egress point is coordinated to initiate a network communication for the selected
persona. Show less

A non-transitory computer readable storage medium has instructions executed by a processor to collect mobile device environment parameters. Identity attributes including real identity attributes for a real individual and at least one set of synthetic identity attributes are stored. An electronic communication attempt by a designated entity corresponding to either the real identity attributes or the at least one set of synthetic identity attributes is monitored. The electronic communication… Show more

A non-transitory computer readable storage medium has instructions executed by a processor to collect mobile device environment parameters. Identity attributes including real identity attributes for a real individual and at least one set of synthetic identity attributes are stored. An electronic communication attempt by a designated entity corresponding to either the real identity attributes or the at least one set of synthetic identity attributes is monitored. The electronic communication attempt is analyzed in connection with the mobile device environment parameters and identity attributes to identify a rule transgression. A warning is supplied in connection with the electronic communication attempt in response to the rule transgression. Show less

A method, system and/or NFC (Near field communication) enabled mobile device is provided for executing an electronic contract on NFC enabled mobile devices. A first contracting party is provided to apply an electronic signature thereof in an electronic contract provided on a first NFC enabled mobile device used by the first contracting party, the electronic signature is applied through a secure element of the first NFC enabled mobile device. The electronically signed contract is transmitted… Show more

A method, system and/or NFC (Near field communication) enabled mobile device is provided for executing an electronic contract on NFC enabled mobile devices. A first contracting party is provided to apply an electronic signature thereof in an electronic contract provided on a first NFC enabled mobile device used by the first contracting party, the electronic signature is applied through a secure element of the first NFC enabled mobile device. The electronically signed contract is transmitted from the first NFC enabled mobile device to a second NFC enabled mobile device used by a second contracting party for providing the second contracting party to apply an electronic signature thereof in the received electronically signed contract from the first NFC enabled mobile device through a secure element in the second NFC enabled mobile device. Show less

One or more computer processors identify a first certificate that is used to establish a secure Internet connection. One or more computer processors identify a stored second certificate that shares at least one attribute with the first certificate. One or more computer processors determine a policy action based, at least in part, on a result of a comparison between an attribute of the first certificate and an attribute of the second certificate.

A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to receive an email account request, a name and a public key. A selected domain name is designated from a group of available domain names. A user name is generated based upon the name. An email account is formed using the user name and the selected domain name. The public key is stored.

A machine has a processor and a memory connected to the processor. The memory… Show more

A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to receive an email account request, a name and a public key. A selected domain name is designated from a group of available domain names. A user name is generated based upon the name. An email account is formed using the user name and the selected domain name. The public key is stored.

A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to prompt a user for a name associated with a request for an email account. A private key and a public key for the email account are generated. The public key, the name and the request for an email account are sent to an email provider. The private key is stored. Show less

A technique to at least partial transfer an active network communication session associated with a server and an authenticated user communicating through a first device. The at least partial transfer includes the following actions (not necessarily in the following order): (i) recording the network communication session on an inline network device; (ii) asso­ ciating the network communication session with the second device on the inline network device; and (iii) sending session continuation… Show more

A technique to at least partial transfer an active network communication session associated with a server and an authenticated user communicating through a first device. The at least partial transfer includes the following actions (not necessarily in the following order): (i) recording the network communication session on an inline network device; (ii) asso­ ciating the network communication session with the second device on the inline network device; and (iii) sending session continuation information from the inline network device to at least the second device and/or the server. The first device is in data communication with the inline network device during at least a portion ofthe recording step. The session continuation information sent at the sending step includes information enabling the user to continue the active network communica­ tion session through the second device. The inline network device performs at least the associating step and the sending step under control of computer software running on computer hardware. Show less

A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to collect synthetic identity activity information characterizing computer network activity associated with a synthetic identity. A synthetic identity reputation score is computed based upon a current synthetic identity reputation score, a synthetic identity activity value and an activity provider weighting.

A method, system and computer-usable medium are disclosed for automatically deploying a network security policy based on virtual network topology in a dynamic software defined network (SDN) comprising: providing a flow control interface in a dynamic SDN wherein the flow control interface receives virtual network topology, operational endpoints, and policy to apply to the operational endpoints; responsive to receiving an SDN change indication, identifying changes to enforcement points for an SDN… Show more

A method, system and computer-usable medium are disclosed for automatically deploying a network security policy based on virtual network topology in a dynamic software defined network (SDN) comprising: providing a flow control interface in a dynamic SDN wherein the flow control interface receives virtual network topology, operational endpoints, and policy to apply to the operational endpoints; responsive to receiving an SDN change indication, identifying changes to enforcement points for an SDN change corresponding to the SDN change indication; and, providing enforcement points affected by the SDN change with a policy reflecting the SDN change. Show less

A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating… Show more

A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed. A security template library is accessed to select a security template for each network appliance that will implement the one or more security policy for that network appliance to be deployed. Show less

A method of security sandboxing which may include detecting an illicit intrusion to a computer on a first computer system; cloning the intruded computer; directing all traffic from the illicit intrusion to the cloned computer; observing activities of the illicit intrusion interacting with the cloned computer; and dynamically adapting the cloned computer to perform activities of predicted interest to the illicit intrusion based on the observed activities of the illicit intrusion. The steps of… Show more

A method of security sandboxing which may include detecting an illicit intrusion to a computer on a first computer system; cloning the intruded computer; directing all traffic from the illicit intrusion to the cloned computer; observing activities of the illicit intrusion interacting with the cloned computer; and dynamically adapting the cloned computer to perform activities of predicted interest to the illicit intrusion based on the observed activities of the illicit intrusion. The steps of the method may be performed by one or more computing devices. Show less

A machine has a processor and a memory storing instructions executed by the processor to issue a challenge in response to a first request, evaluate a response to the challenge to establish confirmation that the first request originated from a human user, issue a user identification in response to the confirmation, store the user identification with encrypted identity data, receive a second request that includes the user identification, and return the encrypted identity data in response to the… Show more

A machine has a processor and a memory storing instructions executed by the processor to issue a challenge in response to a first request, evaluate a response to the challenge to establish confirmation that the first request originated from a human user, issue a user identification in response to the confirmation, store the user identification with encrypted identity data, receive a second request that includes the user identification, and return the encrypted identity data in response to the second request. Show less

A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to match a communication sender number or a communication receiver number associated with a communication to a synthetic identity. A parameter associated with the synthetic identity is selected. Delivery of the communication is coordinated such that the recipient of the communication views the parameter upon receipt of the communication.

An approach is provided to verify a network address. In the approach, a network address is received from a domain name service (DNS) based on a requested uniform resource locator (URL) that corresponds to a requested domain. A set of one or more network addresses previously established as corresponding to the requested domain is retrieved from a data store accessible from the information handling system. The information handling system is automatically connected to the network address in… Show more

An approach is provided to verify a network address. In the approach, a network address is received from a domain name service (DNS) based on a requested uniform resource locator (URL) that corresponds to a requested domain. A set of one or more network addresses previously established as corresponding to the requested domain is retrieved from a data store accessible from the information handling system. The information handling system is automatically connected to the network address in response to the received network address matching one of the set of one or more retrieved network addresses. Show less

A method, system and a computer program product for managing distribution of software updates in Near Field Communication (NFC) mobile devices includes retrieving information of one or more softwares in one or more NFC mobile devices by a NFC reader in communication range with the one or more NFC mobile devices, transmitting the retrieved information from the NFC reader to a distribution server which determines if the one or more softwares requires an update based on the retrieved information… Show more

A method, system and a computer program product for managing distribution of software updates in Near Field Communication (NFC) mobile devices includes retrieving information of one or more softwares in one or more NFC mobile devices by a NFC reader in communication range with the one or more NFC mobile devices, transmitting the retrieved information from the NFC reader to a distribution server which determines if the one or more softwares requires an update based on the retrieved information, in response to said determination, receiving an available updated software or update components of the one or more softwares from the distribution server to the NFC reader and transmitting thereof from the NFC reader to a secure element of the one or more NFC mobile devices whose one or more softwares require an updation. Show less

A role and entitlements mining system uses network intelligence to facilitate role definition. The system records traffic on a network. The traffic is analyzed to identify the user and application involved. The matched data is then provided to an analytics engine, which analyzes that data to attempt to derive an initial set of one or more roles and the application entitlements for each role. Each role derived by the analytics engine identifies one or more users who are identified as belonging… Show more

A role and entitlements mining system uses network intelligence to facilitate role definition. The system records traffic on a network. The traffic is analyzed to identify the user and application involved. The matched data is then provided to an analytics engine, which analyzes that data to attempt to derive an initial set of one or more roles and the application entitlements for each role. Each role derived by the analytics engine identifies one or more users who are identified as belonging to the role, as well as one or more application entitlements. Preferably, one or more directory services are then interrogated for known group and user relationships to detect
whether the roles identified by the analytics engine can be modified or enriched. Evaluation of the known group and user relationships provides a way to identify a more granular set of role definitions. A role-based access control policy is then generated. Show less

A method of accessing local applications when roaming on a NFC mobile device may include creating a first partition and a second partition on a secure element (SE) of a subscriber identification module (SIM) of a near field communication (NFC) enabled device. The home TSM separates the first partition and the second partition by public key encryption. The home TSM generates cryptographic keys in response to a request by a roaming TSM for access to the second partition of the SIM. Following the… Show more

A method of accessing local applications when roaming on a NFC mobile device may include creating a first partition and a second partition on a secure element (SE) of a subscriber identification module (SIM) of a near field communication (NFC) enabled device. The home TSM separates the first partition and the second partition by public key encryption. The home TSM generates cryptographic keys in response to a request by a roaming TSM for access to the second partition of the SIM. Following the exchange of security keys, the home TSM delegates to the roaming TSM access to the sec­ond partition of the SIM. Show less

An intrusion detection system (IDS) is enhanced to operate in a cluster of such systems, and IDSs organized into a cluster cooperate to exchange IP reputation influencing events information
between or among the cooperating systems in realtime to enhance overall system response time and to prevent otherwise hidden attacks from damaging network resources. An IDS includes an IP reputation analytics engine to analyze new and existing events, correlate information, and to raise
potential… Show more

An intrusion detection system (IDS) is enhanced to operate in a cluster of such systems, and IDSs organized into a cluster cooperate to exchange IP reputation influencing events information
between or among the cooperating systems in realtime to enhance overall system response time and to prevent otherwise hidden attacks from damaging network resources. An IDS includes an IP reputation analytics engine to analyze new and existing events, correlate information, and to raise
potential alerts. The IP reputation analytics engines may implement an algorithm, such as a pattern matching algorithm, a continuous data mining algorithm, or the like, to facilitate this operation. Clustering IDS endpoints to share IP reputation influencing events, using the cluster-wide view to
determine IP reputation, and feeding the cluster-wide view back to the IDS endpoints, provides for enhanced and early detection of threats that is much more reliable and scalable as
compared to prior art techniques. Show less

A method is presented for processing data for a privacy policy concerning management of personally identifiable information. A proxy intercepts a first message from a server to a client and determines that the first message initiates collection of personally identifiable information from a user of the client. The proxy then sends a second message to the client that requests consent from the user to the privacy policy. If the user provides consent within a third message that is received by the… Show more

A method is presented for processing data for a privacy policy concerning management of personally identifiable information. A proxy intercepts a first message from a server to a client and determines that the first message initiates collection of personally identifiable information from a user of the client. The proxy then sends a second message to the client that requests consent from the user to the privacy policy. If the user provides consent within a third message that is received by the proxy from the client, then the proxy sends the intercepted first message to the client. If the user does not provide consent, then the proxy sends a fourth message to the server that fails the collection of personally identifiable information from the client by the server. The proxy may also obtain user preferences for options concerning management of the personally identifiable information by a data processing system. Show less

A method system and computer program product is presented for providing access to a set of resources in a distributed data processing system. A reverse proxy server receives a resource request from a client and determines whether or not it is managing a session identifier that was previously associated with the client by the reverse proxy server. If so, it retrieves the session identifier, otherwise it obtains a session identifier and associates the session identifier with the client using… Show more

A method system and computer program product is presented for providing access to a set of resources in a distributed data processing system. A reverse proxy server receives a resource request from a client and determines whether or not it is managing a session identifier that was previously associated with the client by the reverse proxy server. If so, it retrieves the session identifier, otherwise it obtains a session identifier and associates the session identifier with the client using information that is managed by the reverse proxy server. The reverse proxy server then modifies the resource request to include the session identifier and forwards the modified resource request to an application server. Show less

A method, system, apparatus, and computer program product are presented for processing cookies that are transmitted from a server through a proxy server to a client that is operated by a user. The proxy server detects that a response message from the server for the client has an associated cookie. The proxy server extracts a domain identifier associated with the server from the response message, and the proxy server retrieves a set of parameters that contain domain identifiers that are… Show more

A method, system, apparatus, and computer program product are presented for processing cookies that are transmitted from a server through a proxy server to a client that is operated by a user. The proxy server detects that a response message from the server for the client has an associated cookie. The proxy server extracts a domain identifier associated with the server from the response message, and the proxy server retrieves a set of parameters that contain domain identifiers that are associated with indications of whether to block transmission of cookies from servers associated with the domain identifiers. The proxy server then processes the cookie in the response message in accordance with the retrieved set of parameters and the extracted domain identifier, either blocking or not blocking cookies from the identified domain. Blocked cookies are cached for subsequent use. Multiple sets of parameters may be configured by the user. Show less

A method is presented for enforcing a privacy policy concerning management of personally identifiable information in a centralized manner through a privacy proxy agent. A proxy intercepts a message from a first system to a second system, e.g., from a server to a client, and determines whether the message is associated with an operation on personally identifiable information; if not, then the proxy sends the message to the second system, but if so, then the proxy determines whether the operation… Show more

A method is presented for enforcing a privacy policy concerning management of personally identifiable information in a centralized manner through a privacy proxy agent. A proxy intercepts a message from a first system to a second system, e.g., from a server to a client, and determines whether the message is associated with an operation on personally identifiable information; if not, then the proxy sends the message to the second system, but if so, then the proxy determines whether the operation on the personally identifiable information is compliant with a privacy policy and with user preference information with respect to the privacy policy for a user who is associated the personally identifiable information. If the message is compliant with the privacy policy and user preference data, then the proxy sends the first message to the second system; otherwise, an error indication is returned to the first system. Show less

This invention automates the selection of purpose usages when a user agent interacts with a web site that has been enabled for automated purpose usage information exchange. A user first configures the purpose usage automation in his or her user agent. At this stage, which typically occurs offline, the user decides on a level of automation when specifying the one or more purpose usages. If desired, this preference may depend on how "trusted" the site is to the user.

A method is presented for performing authentication operations. When a client requests a resource from a server, a non-certificate-based authentication operation is performed through an SSL (Secure Sockets Layer) session between the server and the client. When the client requests another resource, the server determines to step up to a more restrictive level of authentication, and a certificate-based authentication operation is performed through the SSL session without exiting or renegotiating… Show more

A method is presented for performing authentication operations. When a client requests a resource from a server, a non-certificate-based authentication operation is performed through an SSL (Secure Sockets Layer) session between the server and the client. When the client requests another resource, the server determines to step up to a more restrictive level of authentication, and a certificate-based authentication operation is performed through the SSL session without exiting or renegotiating the SSL session prior to completion of the certificate-based authentication operation. During the certificate-based authentication procedure, an executable module is downloaded to the client from the server through the SSL session, after which the server receives through the SSL session a digital signature that has been generated by the executable module using a digital certificate at the client. In response to successfully verifying the digital signature at the server, the server provides access to a requested resource. Show less

Also filed in the US US20050154889A1 Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol

A method for establishing a secure context for communicating messages between a client and a server is presented that is compliant with the Generic Security Service application programming interface (GSS-API). The client sends to the server a first message containing a first symmetric secret key generated by the client and an authentication token; the first… Show more

Also filed in the US US20050154889A1 Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol

A method for establishing a secure context for communicating messages between a client and a server is presented that is compliant with the Generic Security Service application programming interface (GSS-API). The client sends to the server a first message containing a first symmetric secret key generated by the client and an authentication token; the first message is secured with the public key from the server's public key certificate. After the server authenticates the client based on the authentication token, the client then receives from the server a second message that has been secured with the first symmetric secret key and that contains a second symmetric secret key. The client and the server employ the second symmetric secret key to secure subsequent messages sent between the client and the server. The authentication token may be a public key certificate associated with the client, a username-password pair, or a secure ticket. Show less