Electronic credentials are data objects having associated properties that generally are used in networked computer systems for identification and/or authorization purposes. Passwords, keys, certificates and usernames, are just a few examples of credentials. In an application deployment platform where there are a multiple of applications that run on a client system, it is typical for the applications to share credentials. Generally, a platform-provided unified mechanism such as a credential store is used to store and share the credentials between the multiple applications.
Often times a user will need to manage these credentials, performing functions such as deleting expired or unwanted credentials, adding new credentials, or adjusting the visibility or other properties of the credentials. One approach to managing credentials includes using a single generic type tool as a part of the platform that does not have knowledge of the applications. A single generic type tool typically does not work well because it is unable to generate a user friendly user interface since it cannot interpret the semantics associated with the application-specific credential properties. Furthermore, this tool cannot enforce application-defined constraints because it does not have knowledge of the applications. For example, a messaging application might require that at most one private key is labeled as the default messaging signature key, but if this labeling was done using an application-defined property, the platform would neither understand it purpose nor its constraints. Another problem associated with the single generic type tool is that in the scenario where multiple applications share credentials, the tool does not allow the applications to create their own properties that are associated with the credentials. Even if the tool had this capability it would not be able to create a user friendly user interface to manage those application defined properties.
One way of overcoming the problems associated with using a single generic tool in the management of credentials is by using application-specific tools to manage credentials that belong to each application. This approach would permit application-specific semantics to be exposed and constraints enforced, however, it would result in a number of different and independent credential management tools. Further, problems would arise for credentials that are shared between applications. In particular the shared credentials would be managed by multiple tools making it very confusing for the user, especially in instances where different overlapping subsets of properties are managed by different tools.
Therefore, there is a need for a methodology that can better facilitate management of credentials that are shared between a multiple of applications. Instead of directly managing credentials, an approach that manages the associations between the credentials and the applications that want to use them would afford a more controlled methodology that is not currently available, especially in scenarios where multiple applications share credentials. Such an approach would not manipulate the underlying credentials but rather the associations between the credentials and the applications that are represented by labels or tags attached to the credentials. Management would then be directed towards items such as adding or deleting labels or changing values associated with the labels, rather than manipulating the underlying credentials. If there was interest in deleting a credential then it would be analogous to deleting all of the labels attached to the credential.