Network access protection

Abstract

A method is provided for use in a computer system including a client and a health registration authority. The health registration authority is configured to accept requests for assertions, and the client has a health state described by at least one health claim. The method may include an act of including an indication of the at least one health claim of the client in a request for an assertion. A second method is provided for use in a computer system comprising a client, an assertion authority, and a plurality of health policies. The method can include an act of including an indication of at least one health policy that the health claim of the client satisfies in an assertion.

Description

BRIEF DESCRIPTION OF DRAWINGS

In the drawings, each identical or nearly identical component that is illustrated in various figures is represented by a like numeral. For purposes of clarity, not every component may be labeled in every drawing. In the drawings:

FIG. 1 is a block diagram of a health aware system in accordance with one embodiment;

FIG. 2 is a flowchart of a process where a health state of a client is evaluated and an assertion is generated in accordance with one embodiment of the invention;

FIG. 3 is a block diagram of client components that can enable health awareness in accordance with one embodiment of the invention;

FIG. 4 is a block diagram of a health certificate enrolment agent in accordance with one embodiment of the invention;

FIG. 5 is a block diagram of an embodiment of an health key and certificate management service in accordance with one embodiment of the invention; and

FIG. 6 is a flow chart of a health certificate enrolment protocol in accordance with one embodiment of the invention.

Claims

1. A method for use in a computer system comprising a client and a health registration authority, the health registration authority being configured to accept requests for assertions, the client having a health state described by at least one health claim, the method comprising an act of: (A) including an indication of the at least one health claim of the client in a request for an assertion.

2. The method of claim 1, wherein the assertion comprises a certificate.

3. The method of claim 2, wherein the certificate comprises an X.509 certificate.

4. The method of claim 1, further comprising an act of: (B) sending the request for the assertion, created in act (A), to the health registration authority.

5. The method of claim 4, wherein the computer system further comprises a plurality of health policies, and wherein the method further comprises acts of: (C) receiving the request for the assertion sent in act (B); and(D) after act (C), determining at least one health policy of the plurality of health policies that the at least one health claim of the client satisfies.

6. The method of claim 5, further comprising an act of: (E) including an indication of the at least one health policy that the at least one health claim of the client satisfies in a second request for an assertion.

7. The method of claim 6, wherein act (E) comprises including the indication of the at least one health policy that the at least one health claim of the client satisfies in an extended key usage extension of the second request for the assertion.

8. The method of claim 6, wherein act (E) comprises including the indication of the at least one health policy that the at least one health claim of the client satisfies in a policy extension field of the second request for the assertion.

9. A computer-readable medium having computer executable instructions for performing the acts recited in claim 1.

10. A method for use in a computer system comprising a client and an assertion authority, the assertion authority configured to generate assertions associated with the client, the client having a health state described by at least one health claim, the computer system further comprising a plurality of health policies, the health claim of the client satisfying at least one health policy of the plurality of policies, the method comprising an act of: (A) including an indication of the at least one health policy that the health claim of the client satisfies in an assertion.

11. The method of 10, wherein the assertion comprises a certificate.

12. The method of claim 11, wherein the certificate comprises an X.509 certificate.

13. The method of claim 10, wherein act (A) comprises including an indication of the at least one health policy that the health claim of the client satisfies in an extended key usage extension of the assertion.

14. The method of claim 10, wherein act (A) comprises including an indication of the at least one health policy that the health claim of the client satisfies in a policy extension field of the assertion.

15. A computer-readable medium having computer executable instructions for performing the acts recited in claim 10.

16. At least one computer for use with a computer system comprising a client having a health state described by at least one health claim, the computer system further comprising a plurality of health policies, the health claim of the client satisfying at least one health policy of the plurality of policies, the at least one computer comprising at least on processor programmed to: include an indication of the at least one health policy that the at least one health claim of the client satisfies in a request for an assertion.

17. The at least on computer of claim 16, wherein the assertion comprises a certificate.

18. The at least on computer of claim 16, wherein the at least on processor is further programmed to: include an indication of the at least one health policy that the health claim of the client satisfies in an assertion.

19. The at least one computer of claim 18, wherein the assertion comprises a certificate.

20. The at least one computer of claim 19, wherein the certificate comprises an X.509 certificate.