1. Field of the Invention
This invention relates to computer systems, and more particularly to computer systems including timekeeping systems.
2. Description of the Related Art
Due to their limitations, time keeping devices such as time clocks are only capable of providing estimates of the current time and/or date. Time critical functions, such as air traffic control operations and banking transaction time stamping functions, require highly accurate estimates of the current time and/or date. Other time dependent functions, such as software evaluation/rental/lease agreements or music rental agreements involving set periods of time, require less accurate estimates of the current time and/or date.
A typical personal computer (PC) includes two time keeping systems: a hardware real time clock (RTC), and a software virtual clock maintained by an operating system. The RTC typically includes a battery backup source of electrical power, and continuously maintains an estimate of the current date and time. The software virtual clock is typically synchronized to the RTC during PC power up and initialization (i.e., during operating system boot up). In many PCs, synchronization of the software virtual clock to the RTC occurs only during operating system boot up.
Unfortunately, the RTC of the typical PC is highly subject to tampering. For example, a PC user is typically free to change the current date/time maintained by the RTC of the PC at will. Further, a PC user may tamper with accessible hardware components of the RTC (e.g., an oscillator crystal) in order to make the RTC run slow, thereby potentially extending time periods of software evaluation/rental/lease agreements or music rental agreements relying on the RTC for timekeeping.
Many different time synchronization systems exist for synchronizing computer system time clocks over networks (e.g., the Internet). Examples of such network time synchronization systems include the network time protocol (NTP) and the related simple network time protocol (SNTP). Time synchronization software executed by a PC typically provides periodic time synchronization of an RTC of the PC to an external time source. The time synchronization software may also track RTC timekeeping errors and adjust programmable RTC timekeeping circuits to improve RTC timekeeping accuracy between periodic time synchronizations.
It is now possible to obtain (e.g., via the Internet) application software and other content (e.g., music) for use over a fixed period of time (e.g., on an evaluation basis, or subject to a rental or lease agreement). As techniques do not exist for verifying the accuracy and/or security of a PC timekeeping system, sophisticated software evaluation/rental/lease systems typically include with the application software either separate timekeeping software or monitoring software which detects/prevents changes to the current date/time maintained by the RTC of a PC. Like the RTC itself, timekeeping and monitoring software is vulnerable to tampering, and security issues related to software evaluation/rental/lease systems are believed to be major reasons why relatively expensive application software programs (e.g., large computer aided design programs) are generally not available for evaluation/rental/lease via the Internet.
In order to facilitate applications such as the distribution of software for evaluation/rental/lease via the Internet, it would thus be desirable to have a network for delegating different levels of timekeeping xe2x80x9ctrustxe2x80x9d to requesting computer systems based upon timekeeping accuracy and/or timekeeping security (e.g., time clock tamper resistance) of the requesting computer systems. Higher levels of timekeeping trust may, for example, allow access to a larger set of application software for evaluation/rental/lease via the Internet including more expensive application software programs. Lower levels of timekeeping trust may limit access to more expensive application software programs, but may be adequate for lower cost content (e.g., music).
A network is described for providing estimates of the current time. The network includes multiple computer systems each configured to provide an estimate of the current time in response to a received request. The computer systems are logically arranged to form a hierarchical structure, wherein the hierarchical structure includes multiple levels ranked with respect to one another. Each of the computer systems is assigned one of multiple levels of trust, and occupies one of the levels of the hierarchical structure dependent upon the assigned level of trust. The level of trust assigned to a given computer system is dependent upon a timekeeping dependability of the given computer system. The assigned level of trust may also be dependent upon a timekeeping security of the given computer system, where the timekeeping security is dependent upon a tamper resistance of the time clock of the given computer system.
Each computer system of the network (i.e., network computer system) may include, for example, a time clock for tracking the passage of time and for maintaining the estimate of the current time. In this case, the timekeeping dependability of a given network computer system may depend upon a timekeeping accuracy of the time clock of the given network computer system, and may also depend upon a timekeeping stability and/or a timekeeping reliability of the time clock.
In one embodiment of the network, a single one of the network computer systems is a central authority assigned the highest level of trust and occupies a highest level in the hierarchical structure. In other embodiments of the network, multiple network computer systems may occupy the highest level in the hierarchical structure.
The network may also include a directory service for storing information specifying the logical arrangement of the computer systems. The directory service may also provide the information in response to a received request.
In a method for delegating a level of trust, a new computer system (i.e., a computer system which is not part of the network) may contact a network computer system and request assignment of a level of trust. The network computer system may assign the new computer system a level of trust dependent upon a timekeeping dependability of the new computer system. For example, the new computer system may include a time clock for tracking the passage of time and maintaining an estimate of the current time. The timekeeping dependability of the new computer system may be dependent upon a timekeeping accuracy, a timekeeping stability, and/or a timekeeping reliability of the time clock. During the trust level delegation process, the new computer system may provide information conveying the timekeeping accuracy, stability, and/or reliability of the time clock to the network computer system. Alternately, the new computer system may provide time clock identification information identifying the time clock to the network computer system. In this case, the network computer system may use the time clock identification information to obtain the timekeeping accuracy, stability, and/or reliability of the time clock (e.g., from a table). The network computer system may then apply the established set of criteria using the timekeeping accuracy, stability, and/or reliability information in order to assign the new computer system a level of trust.
Further, the network computer system may test the time clock of the new computers system by executing time clock testing software. Alternately, the network computer system may transmit the time clock testing software to the new computer system. In this case, the new computer system may execute the time clock testing software, and convey test results produced by the time clock testing software to the network computer system. The time clock testing software may directly measure the timekeeping accuracy, stability, and/or reliability of the time clock of the new computer system, and the tests results may indicate the timekeeping accuracy, stability, and/or reliability of the time clock. Alternately, the time clock testing software may determine time clock identification information identifying the time clock, and the test results may include the time clock identification information. In this case, the network computer system may use the time clock identification information to obtain the timekeeping accuracy, stability, and/or reliability of the time clock (e.g., from a table) as described above. The network computer system may then apply the established set of criteria using the timekeeping accuracy, stability, and/or reliability information in order to assign the new computer system a level of trust.
The level of trust assigned to the new computer system may also be dependent upon a timekeeping security of the new computer system, where the timekeeping security is dependent upon a tamper resistance of the time clock of the new computer system. In this case, the new computer system may also provide information conveying the timekeeping security of the time clock. Alternately, the new computer system may provide time clock identification information identifying the time clock to the network computer system, and the network computer system may use the time clock identification information to obtain the timekeeping security of the time clock (e.g., from the table).
In one embodiment of the network, a given network computer system occupying a given level of trust may only delegate (i.e., assign) levels of trust less than the given level of trust. For example, where the highest level of trust is a trust level xe2x80x9c1xe2x80x9d and lower levels of trust are numbered consecutively in ascending order (e.g., xe2x80x9c2xe2x80x9d, xe2x80x9c3xe2x80x9d, and so on), a computer system occupying trust level xe2x80x9c3xe2x80x9d may only delegate levels of trust numbered xe2x80x9c4xe2x80x9d and greater than xe2x80x9c4xe2x80x9d, and may not delegate trust levels numbered xe2x80x9c3xe2x80x9d or less than xe2x80x9c3xe2x80x9d.
A method for adding a new computer system to the network includes receiving such a request from the new computer system. The new computer system must be configured to provide an estimate of the current time in response to received requests. If the computer system has not been assigned a level of trust, the new computer system may be assigned a level of trust as described above. The new computer system may then be assigned to one of the levels of the hierarchical structure dependent upon the assigned level of trust. In addition, the assignment of the new computer system to the assigned level of the hierarchical structure may be recorded. For example, where the network includes the above described directory service, the recording may include adding information to the directory which indicates the assignment of the new computer system to the assigned level of the hierarchical structure.