Peter Goldstein

An application-operating organization may delegate a third-party server to serve as an automated contextual authentication responder and an authorization responder. The third-party server may manage a delegated section of the organization's namespace that includes the public identities of various devices controlled by the organization. The third-party server may also dynamically generate interaction control list that is tailored to a requesting device's context based on the interaction control… Show more

An application-operating organization may delegate a third-party server to serve as an automated contextual authentication responder and an authorization responder. The third-party server may manage a delegated section of the organization's namespace that includes the public identities of various devices controlled by the organization. The third-party server may also dynamically generate interaction control list that is tailored to a requesting device's context based on the interaction control policies set forth by the organization. The interaction control list may include information that determines the authorization of the requesting device to interact with another device. The third-party server may also automatically determine the role of a new device to which existing policies are inapplicable and provide guided workflow for the organization to set up new interaction control policies in governing the new device. The determination of the roles of devices may be based on an iterative process using external data sources. Show less

A DNS server receives from a receiving email system, a DNS query for an email domain stored at the DNS server, the DNS query including identifying information of a sender of an email. The DNS server extracts the identifying information of the email sender from the DNS query and identifies one of a plurality of delivering organizations from the information. The DNS server determines whether the identified delivering organization is authorized to deliver email on behalf of the email domain. In… Show more

A DNS server receives from a receiving email system, a DNS query for an email domain stored at the DNS server, the DNS query including identifying information of a sender of an email. The DNS server extracts the identifying information of the email sender from the DNS query and identifies one of a plurality of delivering organizations from the information. The DNS server determines whether the identified delivering organization is authorized to deliver email on behalf of the email domain. In response to determining that the identified delivering organization is authorized to deliver email on behalf of the email domain, the DNS server generates a target validation record based on the identity of the authorized delivering organization and the email domain, the target validation record including one or more rules indicating to the receiving email system whether the delivering organization is an authorized sender of email for the email domain. Show less

A delivering email system is configured to receive a request to send an email to a recipient, identify an authentication method of a sender account for the email, modify email headers of the email to include an indication of the authentication method, generate digital signatures for the email that include the email headers within a scope of the digital signatures, modify the email such that an email header of the email includes the digital signatures, and transmit the email, including the… Show more

A delivering email system is configured to receive a request to send an email to a recipient, identify an authentication method of a sender account for the email, modify email headers of the email to include an indication of the authentication method, generate digital signatures for the email that include the email headers within a scope of the digital signatures, modify the email such that an email header of the email includes the digital signatures, and transmit the email, including the indication of the authentication method and the digital signatures, to the recipient at a receiving email system. The receiving email system is configured to receive the email, determine that the email headers are unaltered by validating the digital signatures against a public key of the sender domain, determine whether the authentication method indicated meets a criteria, and execute a security response against the email if not. Show less

An email validation system receives an email validation request from a requestor to validate an email, the email validation request indicating at least a sender domain indicating a domain of the sender of the email. The email validation system determines whether the sender domain is in a whitelist of known domains, wherein a known domain is a domain that is linked to an organization whose provenance is known, such that it can be linked to an identifiable entity in the real world. The email… Show more

An email validation system receives an email validation request from a requestor to validate an email, the email validation request indicating at least a sender domain indicating a domain of the sender of the email. The email validation system determines whether the sender domain is in a whitelist of known domains, wherein a known domain is a domain that is linked to an organization whose provenance is known, such that it can be linked to an identifiable entity in the real world. The email validation system generates, in response to determining that the sender domain is not in the list of known domains, a message indicating that the email is not valid. The email validation system generates, in response to determining that the sender domain is in the list of known domains, the message indicating that the email is valid, and transmits the message to the requestor. Show less

A third-party server, delegated by organizations to manage application environment, may maintain a plurality of guided workflow plans. At least one of the guided workflow plans may include one or more steps associated with setting up an interaction control policy. The third-party server may receive an interaction report associated with the organization. The interaction report may include metadata of one or more devices that interacted with other devices. The third-party server may identify a… Show more

A third-party server, delegated by organizations to manage application environment, may maintain a plurality of guided workflow plans. At least one of the guided workflow plans may include one or more steps associated with setting up an interaction control policy. The third-party server may receive an interaction report associated with the organization. The interaction report may include metadata of one or more devices that interacted with other devices. The third-party server may identify a particular device to which existing interaction control policies of the organization are inapplicable. The third-party server may search for additional out-of-band information of the particular device using the metadata in the interaction report. The third-party server may select an applicable guided workflow plan for setting up an applicable interaction control policy for the particular device. A guided workflow may be presented via a graphical user interface according to the applicable guided workflow plan. Show less

Embodiments relate to a system that may include a third-party server and a domain name system (DNS). The third-party server may be configured to receive a request for a session token from a named entity device for the named entity device to communicate with an application programming interface (API). The API may be associated with a domain. The third-party server may obtain the session token from the API. The third-party server may encrypt the session token with a public key corresponding to… Show more

Embodiments relate to a system that may include a third-party server and a domain name system (DNS). The third-party server may be configured to receive a request for a session token from a named entity device for the named entity device to communicate with an application programming interface (API). The API may be associated with a domain. The third-party server may obtain the session token from the API. The third-party server may encrypt the session token with a public key corresponding to the named entity device to generate an encrypted session token. The DNS may be configured to receive the encrypted session token and publish a DNS record at a namespace of the DNS, the DNS record containing the encrypted session token for the named entity device to retrieve the session token. The named entity device may decrypt the encrypted session token by the private key stored at the device. Show less

A third-party server may maintain a list of named entity devices that belong to one or more roles in an application environment. The server may receive an authorization query from a policy consuming device. The authorization query may include an identity of a particular named entity device which sent a message to the policy consuming device and contextual metadata associated with the message. The server may determine that the particular named entity device belongs to one of the roles and filter… Show more

A third-party server may maintain a list of named entity devices that belong to one or more roles in an application environment. The server may receive an authorization query from a policy consuming device. The authorization query may include an identity of a particular named entity device which sent a message to the policy consuming device and contextual metadata associated with the message. The server may determine that the particular named entity device belongs to one of the roles and filter the list based on the contextual metadata. The server may generate an interaction control list that includes the filtered list and transmit the interaction control list to the policy consuming device as a response to the authorization query. The interaction control list causes the policy consuming device to react to the message based on the interaction control list. Show less

A DNS server receives from a receiving email system, a DNS query for an email domain stored at the DNS server, the DNS query including identifying information of a sender of an email. The DNS server extracts the identifying information of the email sender from the DNS query and identifies one of a plurality of delivering organizations from the information. The DNS server determines whether the identified delivering organization is authorized to deliver email on behalf of the email domain. In… Show more

A DNS server receives from a receiving email system, a DNS query for an email domain stored at the DNS server, the DNS query including identifying information of a sender of an email. The DNS server extracts the identifying information of the email sender from the DNS query and identifies one of a plurality of delivering organizations from the information. The DNS server determines whether the identified delivering organization is authorized to deliver email on behalf of the email domain. In response to determining that the identified delivering organization is authorized to deliver email on behalf of the email domain, the DNS server generates a target validation record based on the identity of the authorized delivering organization and the email domain, the target validation record including one or more rules indicating to the receiving email system whether the delivering organization is an authorized sender of email for the email domain. Show less

A third party system generates a public-private key pair, the public key of the key pair being an encryption key, and the private key of the key pair being a decryption key. The third party system publishes the encryption key as a DNS record of a third party system. The third party system receives a request to sign a message on behalf of a domain owner, the message to be sent to a recipient, and accesses an encrypted delegated private key published by the domain owner via a DNS record of the… Show more

A third party system generates a public-private key pair, the public key of the key pair being an encryption key, and the private key of the key pair being a decryption key. The third party system publishes the encryption key as a DNS record of a third party system. The third party system receives a request to sign a message on behalf of a domain owner, the message to be sent to a recipient, and accesses an encrypted delegated private key published by the domain owner via a DNS record of the domain owner, the encrypted delegated private key encrypted using the encryption key. The third party system decrypts the encrypted delegated private key using the decryption key, and generates a signature for the message using the delegated private key. The third party system sends the signature and the message to the recipient. Show less