Access control in a distributed computer system

Assignee

• International Computers Limited · GB

Inventor

• Thomas A. Parker · Calne, GB

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2209/76
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A mechanism is described for controlling access to a target application (TA) in a distributed computer system. A user sponsor (US) acting on behalf of an end user is issued with a privilege attribute certificate (PAC) containing initiator qualifier attributes (IQA) identifying permitted users of the PAC. The US obtains a key from a key distribution server (KDS), the key having initiator qualifier attributes of the US cryptographically associated with it. The US uses this key to communicate with the TA, and presents its PAC for verification. If the IQA in the PAC do not match the IQA associated with the key, this indicates that the PAC is being presented by the wrong initiator, and so access is not permitted. If a receiving entity subsequently wishes to act as an initiator and to use the PAC by proxy, it acquires a key from the KDS, the key having the receiving entity's attributes cryptographically associated with it. This provides a way of regulating proxy use of PACs.