| 发明名称 |
MULTI-FACETED COMPUTE INSTANCE IDENTITY |
| 摘要 |
A compute instance of a virtual computing service (VCS) is assigned first and second cryptographically verifiable identities (CVIs) within respective namespaces. A cryptographic key pair associated with the first CVI includes a non-transferable private key managed by a secure key store which does not permit the private key to be copied. The VCS enables the instance to use the private key for asserting the CVIs. In response to a first identity query, the instance indicates the first CVI. In response to a second identity query, the instance indicates the second CVI. |
| 申请公布号 |
US2016182473(A1) |
申请公布日期 |
2016.06.23 |
| 申请号 |
US201414577232 |
申请日期 |
2014.12.19 |
| 申请人 |
Amazon Technologies, Inc. |
发明人 |
CIGNETTI TODD LAWRENCE;BOWEN PETER ZACHARY;DOANE ANDREW JEFFREY;SCHOOF ALEXANDER EDWARD |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A system, comprising:
a plurality of instance hosts of a virtual computing service of a provider network, including at least a first instance host comprising one or more compute instances; wherein a particular compute instance of the one or more compute instances is configured to:
in response to a first identity query from a first authenticator associated with a first application, provide an indication of a first cryptographically verifiable identity (CVI) assigned to the particular compute instance within a first instance identity namespace (IIN), wherein the first CVI is associated with a cryptographic key pair designated for the first compute instance, wherein a private key of the cryptographic key pair is managed by a secure key store configured to prevent copying of the private key to locations external to the secure key store, and wherein the virtual computing service enables the particular compute instance to use the private key to provide the indication of the first CVI;in response to a determination that the first CVI has been accepted by the first authenticator, perform one or more operations of the first application;in response to a second identity query from a second authenticator associated with a second application, provide an indication of a different CVI assigned to the first compute instance within a different IIN; andin response to a determination that the second CVI has been accepted by the second authenticator, perform one or more operations of the second application. |
| 地址 |
Reno NV US |
