1. The Field of the Invention
The present invention relates to the utilization of network services by an application client. More particularly, the present invention is directed to a system and method for regulating the use of distributed applications in a manner so that the applications can only be used in connection with the network services of an authorized network service provider.
2. The Prior State of the Art
Historically, personal computer software applications provided a stand-alone, single-user type of operating environments. However, new computer technologies and software applications have continued to enhance the computers ability to gather, process and distribute information, giving rise to the need for the interconnection and sharing of data between computers. This has resulted in the connection of computers by way of a variety of techniques, including local area networks, wide area public networks (such as the Internet) wide area private networks, direct modem links, and commercial service providers such as Microsoft Network and America Online.
Such interconnection schemes were initially designed and implemented for purposes of facilitating the exchange of data and information between computer users, i.e., exchanging data files, sending and receiving of electronic mail, etc. However, the increased availability and capability of high speed networks has resulted in the development of far more sophisticated distributed network applications. Such network technologies allow for the transparent interoperation and communication between applications that run on respective client computers connected via a particular network, and allow computer users to dynamically interact and share application data with one another.
While such distributed applications can serve any one of a number of different functions, one timely example is computer gaming applications. With this type of distributed application, a user executes a distributed game application at a standalone computer (sometimes referred to as a client). The user will then initiate access to a particular communications network host (referred to herein as a Network Service Provider, or xe2x80x9cNSPxe2x80x9d) such as may be provided by, for example, Microsoft Network, America Online, or a private gaming network, which in turn provides access to the network services for use by the distributed application. The application will then proceed to interoperate/communicate with other similarly connected computers running that particular distributed application, via the NSP network. For instance, game data and game state information is exchanged between the network connected computer participants via the network services provided by the NSP. In this way, each of the computer users/players can simultaneously compete and/or otherwise interact with one another in the manner defined by the particular distributed game application.
Currently, there are a variety of network service providers (sometimes referred to as Online Service Providers) that provide such network xe2x80x9chostxe2x80x9d services for these types of distributed applications. It will be appreciated that as the availability, usage, and popularity of these types of distributed applications expands, there is a corresponding increase in demand for the services provided by the NSPsxe2x80x94an obvious economic benefit to the NSP. It would be desirable for the application vendor to share in this benefit, since it is the application that is generating an increase in demand for NSP services. Similarly, it would be desirable for an NSP to negotiate with an application vendor to be the exclusive network service provider for a particular application. However, until now there has not been a suitable solution for arranging such an exclusive arrangement.
Instead, an end user typically need only purchase a copy of the distributed application (e.g., a computer game), and the user is then free to run it on any NSP network that supports the communication protocols utilized by that application. Since such applications typically support widely used, industry standard protocols such as TCP/IP, IPX, etc., the application user can often select from any one of a number of NSP""s on which to utilize the application. As such, the application vendor has no practical way of limiting its application to a selected NSP.
Current approaches that have been used to restrict a distributed application""s use to a specific NSP have not been entirely satisfactory or practical. One approach has been to preconfigure the application so that it is operable only in connection with a particular NSP. For instance, the application software itself will be customized to have a particular communications front end so that the application is only capable of running on the network services provided by a specific NSP. Use of the application is limited to that provider because the software is incompatible with the networks of other NSPs. While the approach allows for the desired exclusive arrangement between a vendor and an NSP, the approach is severely limited in flexibility, and therefore does not provide a practical business solution. For instance, in the event that the application vendor seeks to develop relationships with other NSPs, or seeks to subsequently develop an exclusive arrangement with a different NSP, the underlying software must be rewritten, reconfigured or otherwise manipulated so as to be capable of running via the new NSP""s network. This of course would include a rewrite or reconfiguration of all existing applicationsxe2x80x94an impractical, time consuming and expensive process.
What is needed then is a method for regulating the use of a distributed application on preselected NSP(s) that is flexible enough so as to permit the application vendor to easily change to different authorized NSPs without requiring any customization or reconfiguration of the underlying application. Moreover, the method should ensure that when authorization is granted to one exclusive NSP, other non-authorized NSPs are prevented from providing unauthorized network services to that particular application. Preferably, the authorization scheme should easily transferable, so that authorization can be granted to one particular NSP for a certain amount of time, and then be granted to other NSPs after that prescribed time period has expired. Also, an authorization scheme should not be susceptible to counterfeiting or alteration. Allowing an application vendor this ability to selectively and safely provide authorization to a NSP will allow for exclusive and flexible business arrangements resulting in new, synergetic business models between NSP""s and application vendors. For instance, application vendors will have access to a new revenue stream from NSPs who are interested in supporting the vendor""s application. At the same time, NSPs will have an opportunity to add value and generate new demand for their services. For example, a NSP can be the exclusive host for a new, high demand premium application, and thereby gain new subscribers wishing to utilize that application.
The foregoing problems in the prior state of the art have been successfully overcome by the present invention, which is directed to a system and method for regulating a network service provider""s ability to host a particular distributed application. More particularly, the present invention defines a system and method whereby an application vendor is able to pre-define a service provider verification data set, or xe2x80x9cpermit,xe2x80x9d for a particular distributed application, such as a computer game application. The application vendor can then issue this xe2x80x9cpermitxe2x80x9d to a selected NSP. The permit authorizes the NSP to provide network communication services to that particular distributed application. Further, use of the permit prevents other non-authorized NSPs from attempting to provide network services to that particular application.
The permit preferably contains at least one unique identifier that provides the ability to authenticate the validity of the permit, and that also provides the ability to confirm the integrity of the permit data when it is presented by the NSP. This provides assurance that the permit data has not been modified or replaced in transit, and also prevents the creation and/or use of counterfeit or improperly obtained permits. While other approaches could be used, in a preferred embodiment this unique identifier is in the form of a xe2x80x9cdigital signaturexe2x80x9d that is placed on the permit. This digital signature uniquely identifies the permit as having been issued by a particular application vendor, and can be used to ensure the integrity and the authenticity of the permit and its data content.
Preferably, the permit also contains additional parametersxe2x80x94or verification dataxe2x80x94that define the scope of the authorization that is granted to the NSP. For instance, information regarding the particular application for which authorization is being granted would typically be included, such as a unique identifier of the application, the version/release number of the application, and/or information about the application vendor. Other authorization parameters can also be included. For example, a specified time period for which the authorization is being granted can be placed in the permit. In a presently preferred embodiment, the permit also includes the NSP""s own xe2x80x9csoftware publisher certificate,xe2x80x9d or xe2x80x9cPublic certificate,xe2x80x9d which can subsequently be used to validate that a NSP has presented a permit that actually belongs to that NSP. This prevents one NSP from utilizing and presenting another""s permit.
In a preferred method of operation, when a distributed application is executed at a client computer, access to the network services of a particular NSP are requested. However, before the game application is permitted to utilize the services of the NSP, in one embodiment an interface software module executing on the client computer requests that the NSP provide it with a proper permit. If no permit is provided, the game application will not be allowed to access that particular NSP. If the client computer does receive a permit, the permit""s authenticity and integrity, as well as the scope of the authority granted, is verified via the unique identifier, and via any verification data associated with the permit. If the permit is not valid for any reason, access to that NSP is denied. As noted above, the permit. preferably includes verification data that enables the client, via the interface software module, to ensure that the NSP that presents the permit is actually the NSP for which the permit was originally created. This is accomplished in the preferred embodiment by verifying the authenticity of a public certificate contained within the permit and thereby verifying the identity of the NSP presenting the permit.
Under some circumstances, there may be a need for the application vendor to revoke authorization that has been previously granted to a particular NSP. Under this approach, a second confirmation of the NSP""s xe2x80x9ccurrentxe2x80x9d status is required. For instance, some event may have occurred since the time that the NSP was initially granted authority that prompts the application vendor to revoke that authority. To accomplish this, in an alternate embodiment when a distributed application is executed at a client and is connected to a previously authorized NSP, the interface module first forwards a unique request data packet to the application vendor via a communications link to the NSP. Upon receiving the data packet, the vendor determines whether the NSP should be allowed to provide services to the specified distributed application. If so, it will return a permit containing a unique identifier to the NSP, which then forwards it to the client. The client then verifies that the NSP remains authorized to provide the requested network services by way of the contents of the permit. If the permit is valid, communications on the NSP will proceed. If not, access to the NSP for the distributed application is denied. This approach allows the vendor to easily revoke authority from a NSP at any time.
Use of this generic permit to grant/revoke authorization allows an application vendor to easily regulate which NSP (or NSPs) will be permitted to supply network services for its distributed application. Authorization is dictated by NSP""s possession of a valid permit. This greatly enhances a vendor""s ability to form and change business relationships with service providers. Moreover, authorization can be granted without having to rewrite or change the application itself.
Preferably, functions relating to communications with the NSP, and to the validation and authentication of a permit received from the NSP, are handled by way of the interface software module executing at the client computer. Such functions are made available to the distributed application by the interface module by way of a common program interface (or application program interfacexe2x80x94API). In this way, distributed applications need only be written to this defined API. This results in greater flexibility. For instance, in the event that an application vendor forms a new business relationship with a new NSP, the distributed application does not have to be changed or reconfigured, because it will continue to access the NSP network by way of the standard interface defined by the interface module API.
Accordingly, it is a primary object of the present invention to provide a system and method for enforcing a relationship between a network-based distributed application and a provider of network services so that the application will only work with pre-authorized network(s).
Another important object of the present invention is to provide a system and method that allows an application vendor to selectively authorize NSPs to provide network services to the vendor""s application in a manner that does not require any customization or pre-configuration of the application.
An additional object of the present invention is to provide a system and method that allows an application vendor to revoke an NSP""s ability to host an application.
Still another object of the present invention is to provide a system and method that allows an application vendor to designate new NSPs as being authorized to provide network services for a distributed application, without having to alter, update or otherwise customize the actual distributed application software.
Another object of the present invention is to provide a system and method that allows an application vendor to selectively authorize NSPs to provide network services to the vendor""s application with an authorization scheme that cannot be falsified, reproduced, copied, counterfeited or changed and used by an unauthorized NSP.
Still another object of the present invention is to provide a system and method that verifies the identity of a NSP so as to ensure that a particular NSP that purports to have authorization to host a particular application is in fact the NSP that was originally authorized by the application vendor.
These and other objects, features and advantages of the present invention will be set forth in the description which follows, and in part will be more apparent from the detailed description of a preferred embodiment, and/or from the appended claims, or may be learned by actual practice of the invention.