Description of the Related Art: While the growth of Internet commerce has and continues to grow at a substantial pace, problems remain in determining how to manage and perform many different types of commercial transactions over the Internet or other open network communications mediums. These problems generally concern the issue of establishing a trusted relationship between providers and

consumers based on a system that maintains, if not enforces, the credibility of the trusted relationship.

In commerce oriented to the delivery of physical goods and services the trusted relationship has an inherent touch-stone for guaranteeing performance of commercial transactions. The delivered goods and services must be acceptable to the consumer or the transaction will be returned or refused. In the case of commerce directed to the delivery of digital content, however, there is no such touch-stone. The digital goods delivered are essentially intangible, if not also transient. Thus, the trust issues of whether the proper digital goods were delivered by the content providers and whether addition copies of the goods are made by the consumers exist particularly in the realm of electronic commerce of digital goods.

Beyond the trust issues, performance of commercial electronic transactions for digital content are limited by a number of practical, commercial, and even ethical issues that must be adequately resolved. One of the most immediate and tangible problems that must be faced before wide- spread adoption of any system of electronic commerce in digital goods can be used is that many forms of digital goods are relatively small in terms of their direct financial cost to a consumer. The existing public financial transaction system is based on charging transaction fees for obtaining compensation for the processing of individual fund transfers. As a result, the accumulated costs associated with the commercialization of digital goods severely constrains, if not precludes, the potential profitability of the sales of many types of digital goods.

Substantial commercialization problems also arise from the existing natural structure of the content providers and their relationships with the consuming public. Specifically, the content originators for digital goods, such as the many different kinds of artists, performers, writers, and other artisans of works that can be represented by an intangible, are rarely prepared to directly commercialize their works. Rather, these works today are transported, packaged, and distributed through a myriad of producers, distributors, warehousers, and resellers before ever reaching a retailer. These works are also often commercialized in conjunction with advertising, promotion, and

other campaigns to support the commercialization of these or other goods, even goods that are not amenable to electronic sale or delivery. The complexity of these commercialization processes has resulted in the development of a rich and diversified set of industries that together create and operate the various distribution channels that connect today's content providers with their consumers.

Today, there are only limited, and very simplistic electronic distribution channels for a small and very select group and type of digital goods. The purely electronic distribution of computer software titles is typically supported by Internet retailers through direct download Web sites. The digital goods sold are highly unitized, typically represent a significant financial cost to the consumer, and fully correspond to conventionally distributed and retailed goods. Essentially all other aspects of these electronic distribution channels, such as advertising and promotions, are conventional in nature.

Consequently, there is not any substantially or even significantly complete electronic distribution channels that are capable of handling the wide variety of digital goods commerce that potentially exists.

Finally, the recurring issue of privacy, as particularly occurs in all matters involving the Internet, also creates some unique problems for electronic commerce for digital goods. Regardless of the specifics of particular individuals and instances of particular digital goods, there is a clear desire and need for consumers to have confidence that their electronic transactions are and remain private. Like any other produced or manufactured digital goods, the records of electronic transactions are themselves digital goods that, if available, are susceptible to being processed, repackaged, and sold. Where the digital goods distribution channel involves only the electronic retailer, an apparently adequate degree of trust over the privacy of any particular transaction seems to exist. This degree of acceptance in regards to privacy, however, is very unlikely to exist where an electronic distribution channel is both complex and involves many layers of different electronic packagers, distributors, and resellers, all of whom are at least perceived by the consumer to have access to or knowledge of any particular electronic transaction.

Consequently, there is a need for an electronic distribution system for the wide variety of digital goods that exist today, where the system cost- effectively establishes and credibly maintains an effective and acceptable degree of trust between the content originators, all layers of distribution, and the consumers of digital goods.

Summary of the Invention Thus, a general purpose of the present invention is to provide for the structure and operation of a digital distribution channel for digital goods This is achieved in the present invention by providing a digital distribution channel management system that includes a digital warehouse storing different master copies of digital goods awaiting transfer and a transaction database that stores a plurality of transaction records. A transaction server is provided coupleable to a communications network, such as the Internet. The transaction server is responsive to requests from the communications network to serve an instance of a particular digital goods.

The request includes predetermined information that is authenticateable against a predetermined transaction database record that stored in the transaction database. The transaction server provides for the digital signing of the instance of the digital goods and the serving of the instance back onto the communications network where the predetermined information is successfully authenticated against the predetermined transaction database record.

An advantage of the present invention is that the system provides for the aggregation of many small transactions into unitary, cost-effective financial transactions.

Another advantage of the present invention is that the system provides for the establishment of universal trust relationships between any number of content originators, content providers, distributors and repackagers, and the consumers. Additionally, these trust relationships are maintained through use of a comprehensive distribution system that enforces the relationships and

thereby provides a highly credible support foundation for the maintenance of these relationships.

A further advantage of the present invention is that the system specifically supports anonymous transactions as a default structural implementation of the system, thereby providing a very credible level of privacy for the commercial users of the system. Control over the release of information regarding any transactions can be directly established as belonging to the consumer.

Still another advantage of the present invention is that the aggregational vehicle utilized by the present invention can be made both tangible and redistributeable. A physical card may be made the specific controlling entity that allows or supports the execution of an electronic transaction for the distribution of some digital goods, thereby allowing the card itself to be transferred between consumers. This redistribution ability directly provides for substantial flexibility to use the present invention in widely different, simple to quite complex, single to multiparty distribution, advertising, and other promotional activities, as well as re-distribution as gifts, incentives, subscriptions, and sponsored activities.

Yet another advantage of the present invention is that implementations of the aggregational vehicle, such as a card, permit use to be specifically defined on a pre-emptive basis. The effective financial value attached to a card is defined and held by the system. Thus, the financial impact of the loss or mis-use of a card is limite. Further, the promotional, sponsored, or other branding-type value of a card is definable and potentially re-definable through the system by specification of the type, titles, categories, or other restrictions on the digital goods that can be electronically delivered through the use of any particular card or set of cards.

Still another advantage of the present invention is that the effective financial value of an aggregational vehicle, such as a card, can be re-charged through either a promotional, sponsored, or other branding-type source transaction or by a consumer transaction, such as the transfer of actual funds to the transactional account represented by the aggregational vehicle. The potential also exists to allow the aggregational vehicle to support the

aggregation of transactional accounts, yet maintain the specific limitations on account fund values provided by or through different promotional, sponsored, or other branding-type source transactions. A single card may thus be able to be used as multiple virtual cards, each carrying their own usage-limitations and effective account balances.

A yet further advantage of the present invention is that the aggregational vehicle may be also used in connection with the purchases of tangible goods. An electronic transaction based on a card may be sponsored or hosted directly or indirectly by a bricks-and-mortar retail site. By establishment of a channel-type relationship with the allocation of funds to the channel distributor for use in connection with the purchase of tangible goods and services, the distribution of digital goods may be constrained to occur only with the concurrent or prior purchase or use of some tangible goods.

Brief Description of the Drawings These and other advantages and features of the present invention will become better understood upon consideration of the following detailed description of the invention when considered in connection with the accompanying drawings, in which like reference numerals designate like parts throughout the figures thereof, and wherein: Figures 1 A, 1 B, AND 1 C generally depict, in flow-graph form, the relationships and transfers supported by the present invention in connection with the distribution of digital goods and the management of the electronic transactions in connection therewith; Figure 2 shows the effective construction or digital packaging of digital content as an electronically deliverable digital goods in accordance with a preferred embodiment of the present invention; Figure 3A illustrates the delivery of electronically deliverable digital goods, in accordance with a preferred embodiment of the present invention, to any of a number of different consumer devices capable of utilizing delivered digital goods;

Figure 3B illustrates a client utilization of electronicallydeliverable digital goods in accordance with a preferred embodiment of the present invention; Figure 4 shows the system architecture of a distribution channel transaction management system constructed in accordance with a preferred embodiment of the present invention; Figure 5 shows a transaction handling process flow for authenticating and recording a transaction request in accordance with a preferred embodiment of the present invention; Figure 6 shows an expanded security process flow for dynamically handling security exceptions in the transaction handling process flow shown in Figure 5 in accordance with a preferred embodiment of the present invention; Figure 7 shows an expanded registration process flow for handling security consumer registration in the transaction handling process flow shown in Figure 5 in accordance with a preferred embodiment of the present invention; and Figure 8 shows an expanded focus limitation and digital goods delivery management process flow for dynamically handling digital goods selection and transfer fulfillment in the transaction handling process flow shown in Figure 5 in accordance with a preferred embodiment of the present invention.

Detailed Description of the Invention The present invention provides the structure and operation of a digital distribution channel 10 for digital goods, as generally shown in Figure lA. A channel management computer system 12 preferably hosts a distributor commerce (D-Commerce) site 14 on the Internet or other communications network to operate as a communications point of contact for requests for digital goods and management of the corresponding electronic transactions.

The distributor commerce site 14 is preferably implemented as a high- performance Web server computer system executing a Web server application, such as the Microsoft@ Internet Information ServerT"" (IIS).

Preferably, the computer system 12 stores digital goods as digital content files 16 in a secure storage device 18, effecting a digital warehousing

of available digital goods. The secure store device 18 is implemented as a secure server system that includes a redundant array of hard disk drives to ensure the data integrity of the stored digital content. The secure server system itself is preferably protected from unauthorized electronic access through the use of a secure operating system, which can be implemented at a minimum through use of the Microsoft@ WindowsNT TI secure server operating system.

Physical security over the secure server system is also preferably provided.

These protections together provide a highly credible secure environment for managing the storage of the digital goods.

The distributor commerce site 14 preferably utilizes a high-performance transaction oriented database 20 to provide access to transaction and related account records used for authenticating distribution requests and recording the corresponding completed electronic transactions. The database 20 may be hosted on a separate database server computer system, which can be readily implemented using MicrosoftOO MSSQLT""and WindowsNTT""file server operating system.

Other components of the channel management computer system 12 preferably include a system management user interface 22 to the distributor commerce site 14 system and an off-line account management system 24.

The System management interface 22 provides local maintenance access and set of maintenance tools for use in operating the distributor site 14. The account management system 24 likewise generally provides a local user interface and set of tools for establishing and processing accounting information and providing reports of account activity by users of the channel management computer system 12.

Finally, a key generation component 28 is provided within the generally secure environment of the channel management computer system 12. This key generation component 28 is operated preferably though the system management user interface 22 to produce and manage a collection of keys -generally identification codes and personal identification numbers (PINs)- that are to be used in conjunction with the authentication of distribution requests as received by the distributor site 14.

The digital content 16 is preferably obtained from content providers 30, which may include content originators directly or indirect as represented by agents and other entities that have the legal authority to engage the distribution and sale of digital content. In the presently preferred embodiment of the present invention, the digital content 16 is digitized music tracks (individual songs) and collections (digital albums). The relevant content providers therefore include musicians, their contractual agents, and the many different music studios. The contractual rights for distribution are obtained 32 on behalf of the channel management computer system 12 in a conventional manner. The actual digital content 16 is thereafter obtained through any number of different forms of digital transport 34, provided that the transport 34 is secure 36. A preferred form of secure digital transport 34 is through use of an encrypted digital transfer over the Internet. One such form of secure, encrypted transfer 34 is provided utilizing the Netscape3 Secure Sockets Layer (SSL). An addition layer of security may be provided by requiring the transfer to be made subject to the digital certification of the sending and receiving sites through the use of Digital Certificates, which is an optional feature of SSL. A private communications network may also be used, alone or in some combination with SSL and Digital Certificates. Digital transport through the use of a fixed, tangible digital medium, such as a compact disk (CD), may also be used.

Use of these security mechanisms ensures to the content providers that their content is accurately and actually delivered to the channel management computer system 12. The reliability of the transfer of the digital content 16 thus forms a substantial credible basis for maintaining the trust relationships between the content providers and the operator of the channel management computer system 12.

Digital content 16 is available for distribution by the channel management computer system 12 preferablythrough the distributor commerce site 14 received through a generally secure digital transport medium 38.

Requests for distribution are received generally in relation to any retail site 40 or e-commerce site 42 that has established a distribution relationship with the operator of the channel management computer system 12. This relationship may be direct or indirect through a third party that has ultimately established a direct relationship with the operator of the channel management computer system 12.

As generally shown in relationship to the retail site 40, the relationship may be established as a direct relationship 44 or through a promoter 46 as an indirect relationship 38. As a result of the relationship with the operator of the channel management computer system 12, an aggregation vehicle is provided to a consumer. As shown, and in the preferred embodiment of the present invention, a tangible card 50 is issued to a specific consumer.

Whereas the generalized aggregation vehicle is logically defined by certain data, the card 50 provides a convenient physical representation of essentially the same data. For a preferred embodiment of the present invention, Table I lists the pertinent data represented, if not explicitly printed, on a card 50.

Table I-Card Data Data Type Description SponsorAnadvertising-typegraphicand/orlogo typically Personalization:coveringthefrontofthecard. SeriesNumber:Analpha-numericidentifierofasetofcardsassociate d withaparticularpromotion,sponsoredevent, subscription,etc. CardKey:Auniquenumberidentifyingthecard. PIN:Anidentificationnumberusabletoverifytheauthenticity oftheCardKey. SponsorNameandoptionallytherealaddressofthepromoteror Identification:sponsorofthiscardseries. RedemptionOneormoreWebaddressesthatallowaselectionof Site:somedigitalgoodsandthatsupportredemptionsofpart orall of the allocatedmonetaryvalueofacardaspartof anelectronictransactionfortheselecteddigitalgoods. InitialValue:Identificationoftheinitialmonetaryvalueofthecar d. Optional.

Table I-Card Data DataTypeDescription ExpirationApromotionalofferoruseterminationdateforthiscard. Date:Optional. TotalUses:Asubscriptionlimitationonthetotalnumberof redemptionsallowedforthiscard.Optional.

A card 50 is preferably presented 52 to a corresponding retail site 40 through an access of a public redemption Web site hosted by or on behalf of the retail site 40. This site would typically include the Web page identified on the card and others that allow for the consumer's selection of some digital goods. One of the Web pages will preferably support the identification of the goods selected and provide for the input of at least the key and PIN data from the card 50. With the selection of a'submit'button, the consumer would then preferably perceive that this information is forwarded as part of a digital goods distribution request to the retail site 40. In the initially preferred embodiment of the present invention, this page, though appearing as one of the Web pages hosted by the retail site 50, is a Web page hosted by and as part of the distributor commerce site 14. In this manner, the selection and card data 50 is securely submitted directly to the distributor commerce site 14 for authentication and, as appropriate, fulfillment.

The fulfillment of the distribution request is dependent on a number of requirements, including validation of the card key and PIN, verifying that the card distribution request is within the expiration date or number of uses limitation of the card, and whether the selected digital goods are available for redemption against the card. This set of requirements is variable based on the program or profile of such requirements that is established by the retail site 40 or promoter 46 for a particular series of cards 50. That is, the relationship established variously between the operator of the channel management computer system 12, the retail site 40, and the promoter 46 is used to establish, on a per series basis, a set of qualifying requirements for the redemption of the card. These transaction rules are stored in the transaction

database 20 in effect as a set of business rules that are evaluated upon receipt of each distribution request. The series numbers of the cards preferably provides for the segmentation of the rules into defined program profiles for the corresponding sets of cards.

Provided that fulfillment is approved, an instance of selected digital content 16 is securely signed based on a unique key provided from the key generation component 28. The resulting packaged instance of the selected digital content, representing verifiably deliverable digital goods, is then electronically transferred to a digital content store/player 54 designated by the consumer for receipt of the selected digital content. This player 54 preferably includes a processor, content rendering engine, and memory that together provide for the storage and presentation of the digital content. In a preferred embodiment of the present invention, the player 54 is a conventional consumer's personal computer. Where the digital content 16 is some combination of audio and video, a conventional multi-media equipped personal computer is fully capable of performing the rendering and presentation of the digital content 16.

The use of the present invention in connection with e-commerce sites 42 is generally similar to the use in connection with the retail sites 40. E- commerce sites 42, however, generally only exist in cyberspace-there is typically no realspace presence as in the case of retail sites 40-and therefore naturally present themselves as public Web sites accessible over the Internet 56. These e-commerce sites 42 preferably establish relationships with the operator of the channel management computer system 12 to allow the sites 42 to acquire and vend aggregation vehicles, such as the card 50. These cards, may be vended over the Internet 56 by anyone one with a directly or indirect established relationship with the operator of the channel management computer system 12. Thus, the promoter 46, other reseller or sponsor, or even a gift giver 58 can provide the card to a digital goods consumer either directly or through an electronic transaction over the Internet 56.

As before, the redemption of a card 50 for digital goods occurs in connection with selection and ordering Web pages that at least appear to be presented or hosted by the e-commerce site 42. Subject to the appropriate authentication and validation ofthe digital goods selected against the card 50, the digital goods are transferred to the designated digital content store/player 54.

The flexibility of the present invention to provide for a rich set of commercial and non-commercial distribution opportunities in connection with electronic transactions for digital goods is further evident from the exemplary processes generally shown in Figures 1B and lc. The different business models generally represented in these figures are summarized in Table 11 below.

Table 11-Business Models Usage Mode ! Mode ! Description Sponsor:Anadvertisingsponsorofgoods or services underwrites the distributionofcardswithassignedvalues,focuslimitations, etc.tointroducethegoodsorservicesortocreateand increasebrandawarenessof thesponsorandotherrelated goodsandservices. Promotion:Apromoterofsomegoodsorservicessponsorsthe distributionofcardsinconnectionwiththepurchaseoruse thepromotedgoodsorservices,thuscreatingor supportinganadvertisingtie-incampaign. Affinity:Apromoterofaneventorproductintroductionsponsors thedistributionofcardstoencourageconsumersampling andacceptanceoftheeventorproductandtopurchase andre-purchasetherelatedgoodsandservices. Subscription:Apromoterororiginatorofsomeserialcontentdistrib utes cardstoestablishanongoingrelationshipwithconsumers fortheserialcontent,whileconstrainingtherepeated accesstotheserialcontenttocomplywithbusinessrules definingthevalue,identity,redistribution,repeateduseand otheraspectsoftheserialcontent.

<BR> <BR> <P>Table 11-Business Models UsageModel Model Description Reporting:Amanagerofaprograminvolvingtheaccessor employmentofsomecontentbyadefinitesetofusersmay issuecardstodefineaccessandusageparametersthat canthenbereportedtothemanager. Combination:Anycombinationoftheaboveorothersimilarusage models.

For a promotion or sponsored model, the system 70 shown in Figure 1B provides a distributor site 14 that operates as the entry point to an embodiment of the Internet distribution control system 12 of the present invention. Based on relationships with particular promoter sites 72 and providers of focused content 74, a promotion or sponsored distribution campaign can be organized and controlled through the operation of the Internet distribution control system 12. The specific focus limitations to be employed for any particular series of cards 50 is preemptively established in conjunction with the promoter site 72, which in turn is selected to advance the objectives of the promotion. The cards 50 may be distributed through retail outlets 76 to end-users/consumers 78 as a specific inducement for the end- users 78 to visit the retail outlets 76, as necessary to actually obtain a card 50 such as through the purchase of some other product or service of the retail outlet 76.

Since the card 50 for a particular promotion activity can only be obtained from specified retail outlets, and only in conjunction with some other specific activity, the promotion opportunity retains the specific focus not only as desired by the promoter 72, but fully consistent with similar conventional promotion activities. In the case of many advertising campaigns sponsored by the original manufacturers of particular goods or even digital content itself, the present invention allows the promoter 72 to effectively manage and control the campaign by minimizing the complex involvement of the individual retail outlets 76 to specific distribution activities that are easily manageable. Further, the specification and enforcement of the promotion redemption activities can

also be off-loaded to the Internet distribution control system 12 while at least maintaining the appearance that the redemption process is entirely within the branded domain of the promoter site 72, and therefore both building and bearing the consumer's trust of the promoter's brand. Furthermore, the off- loading of the redemption activities to the Interne distribution control system 12 only increases the tangible cost-effectiveness of the promotional campaign and the intangible credibility of the Internet distribution control system 12 to correctly process the redemption information and ensure that the correct digital goods are provided in the fulfillment process.

The source/subscriber system 90, as generally shown in Figure 1 C, further demonstrates the variability of use of the present invention. In this exemplary case, the Internet distribution control system 12 may be used by a content source/originator 92 in a limited role as a digital order management/fulfillment house. The content source/originator 92 may, in accordance with a preferred embodiment of the present invention, fully host the selection/ordering Web pages 80 as well as distribute cards 50 directly or indirect as self-determined to the end-user/subscribers of the content source/originator 92. In this case, the digital content produced by the content source/originator 92 may be provided through a focus content provider 74, as shown, or directly to the Internet distribution control system 12 for use in subsequent redemption fulfillment. The distributor site 14 therefore operates merely as a source of card 50 series to the content source/originator 92 and as a limited portal for the distribution of the corresponding digital content in response to redemption requests provided from the content source/originator site 92. The actual and perceived relationship between the end- user/subscriber and the content source/originator 92 is therefore direct and real. The Internet distribution control system 12 and distribution site 14 transparently operate as a trusted digital distributor to the content source/originator 92.

In both the systems 70,90, the present invention supports the targeted objectives of the business models used by the promoter 72 and content source 92 by supporting the constrained fulfillment of redemption requests. The Internet distribution control system 12 not only provides for the authentication

of the cards 50 as electronically presented for redemption, but also provides for the limitation of the redemption to predefined, or focus selected digital goods. For example, a promotion targeted to a specific audio artist's works is desirably focused on just that artist's body of works. The present invention provides, through the operation of the Internet distribution control system 12, a limiting of a specific card series to a particular profile of redeemable digital goods. Thus, a fully authenticated card 50 may yet be denied for a particular selected digital goods where the goods are determined by the Internet distribution control system 12 to lay outside of the defined scope of the particular promotion for which the card 50 was distributed. There is, however, a substantial degree of freedom in how the scope of a promotion is defined.

For any promoted activity, works, or even digital goods, the scope of the promotion may be defined along any categorization line or genre that can be defined by a set of business rules executable by the Internet distribution control system 12. Thus, the promotion of a specific'blues'recording artist may yet allow redemption of digital goods that (1) are by that particular artist; (2) are blues recordings owned or controlled by the artist's record label; (3) are blues or jazz recordings, blues or jazz musical videos, or blues-type movies that are owned or controlled by the promoter's studio; or (4) relate to some other digital goods product that is desired by the promoter to be tied to the artist's name.

In accordance with a preferred embodiment of the present invention, the digital content packaged and delivered as digital goods is a composite of multiple individual instances of different digital content. As generally shown in Figure 2, a process of digital packaging 100 is preferably employed to produce a digital goods 102 that is suitable for distribution and capable of maintaining the trust relationships between the content providers and distributor by presenting a highly credible basis for ensuring that the digital content distributed is not improperly resold, redistributed, or copied for resale or distribution. The digital goods 102 is preferably a unitary file that contains the full content associated with a particular distribution license. In the case of music, single tracks, sets of tracks, or entire albums are often defined as individual licensable entities. Alternately, a specific recording of a song and

a corresponding music video may constitute the licensable entity. In any of these cases, the corresponding digital content representing the licensable entity is treated in the packaging process 100 as digital content 104, which is subjected to a highly-secure digital packaging, encoding and encrypting operation 112,114. There are many different suitable encoding processes that are commercially licensable. In at least the initially preferred embodiment of the present invention, the digital encoder/encryption process 114 is an implementation of the Intel Software Integrity System, which is commercially available under license from Untel@ Corporation, Santa Clara, California. In a preferred embodiment of the present invention, a commercially licensable software system is utilized to initial package the digital content 104 with some basic, packaging operutor-supplied text content 106, which is descriptive of the digital content 104. This software system is obtainable from Preview Systems, Inc., Cupertino, California.

In accordance with the preferred embodiments of the present invention, however, addition content, such as binary content 108 and text-oriented content 110 is also provided as source material to the digital packaging process 100. The binary content 108 may include graphics, icons, applets, programs, and other material typically represented as binary images. In connection with a music album, for example, the binary content 108 may simply be the cover and related art originally released with the album compact disk. The binary content 108 could also include a computer installable icon that is used to represent the album within the filesystem of the computer and an applet that presents advertisements and related offers as the album is played. The ability to include a program within the binary content 108 would allow concurrent distribution of a demonstration game or other application program. Alternately, the included program could be one or more"plug-in" components useable by a digital content player to enhance or add to the listening or viewing experience of the digital content 104.

The text-oriented content 110 may also include a number of different text entities, potentially in different specific formats. For example, a plain text copy of the liner notes of an album could be included in the content 110. The lyrics of the different songs present in the album might also be included in a

text format appropriate to be read and displayed by an applet included as part of the binary content 108 or provided as part of an XML (extensible markup langage), HTML and/or JavaScript file stored as still other textual content 110. Other XML and/or HTML files, stored as textual content 110, may provide additional information regarding the album and provide various hyper-text links to Web sites where additional relevant information may be obtained, thereby enhancing the end-user/consumer's experience and perceived value of the digital goods obtained through uses of the present invention.

The digital packaging 112 of the different digital, binary, and textual content 104,108,110 preferably provides for the organization of the content into a composite, transient document that is then further packaged to produce the unitary digital goods file 102. In creating the composite document, the different input content 104,106,108,110 is preferably numerically compressed using conventional algorithms appropriate for the particular type of content. In the case of content where lossless compression is required, implementations of the Lempel-Zev-Welch (LZW) or other similar algorithms may be used. Graphics and other similar types of binary images may be compressed using JPEG or other similar types of lossy compression.

Once appropriately encoded and compressed, the various content is organized and placed into the digital goods file 102. This file 102 preferably includes a version identifier 116 and a digital signature 118. The version identifier 116 may be variously used to identify, directly or indirectly, the specifics of the digital packager and encodingl 12,114 and, therefore, how the file 102 may be properly interpreted and parsed when subsequently examined for use by a content player. The digital signature 118 is used to provide, at a minimum, a basis for subsequently confirming the integrity of the digital goods file 102.

In a preferred embodiment of the present invention, the digital goods file 102 then contains an internal component 134 that includes an XML document 120, an object locators block 122, and an objects block 124. The XML document 120 is constructed, at least in part, through the operation of the digital packager 112 to include an appropriate description or identification of

the various other parts of the component 134. Thus, the XML document 120 preferably includes XML references to the objects the content 108,110 that are composited as part of the digital goods file 102. These XML references, however, would conventionally identify additional external documents and files. The public XML standard, as developed and published by the W3C (World Wide Web Consortium), does not provide a mechanism for the XML references to point back to the same file component 134 that contains the XML document 120. This is consistent with the conventionally recognized and intended uses of XML in connection with the organization and presentation of distributed information across an open communications medium, such as the Web.

In connection with the present invention, the organization capabilities provided through the use of an XML document as conventionally defined is in tension with the need to provide digital goods through electronic transactions with certainty that the entirety of the digital goods are both transferred completely and remain properly organized for ready use by the end- user/consumer.

The present invention, therefore, provides the XML document 120 with the addition ability to self-reference the file component 134, even as embedded within the digital goods file 102. The digital packaging process step 112 of compositing the various content 104,108,110 provides for the creation of an objects locators block 122 within the component 134. The objects locators block 122 provides a table of offsets or other pointers to the different objects 124 derived through the packaging from the binary content 108 and textual content 110. Thus, parsing of the XML document 120 in connection with the objects locators block 122 in accordance with the present invention allows all of the objects 124 be separately identified even while digitally packaged into a single digital goods file 102.

Once the digital goods file 102 is fully composited, the digital packaging step 112 operates to prepare a digital signature that covers the composited file 102. Preferably, the digital goods file 102 is processed through a digital signature generator provided as part of the encoder/encryption 114 to produce a binary string that securely represents the

contents of the file 102. In a preferred embodiment of the present invention, the digital signature generator 114 includes a conventional software component implementing a public key encryption algorithm. At least the core secure public key encryption engine, as used by the digital signature generator 114, is commercial licensable from conventional software vendors. For the preferred embodiment of the present invention, the digital signature generator 114 utilizes a SecurelD public key encryption component, which is a publicly licensable product of RSA Security, Inc., San Mateo, California.

Since the generation of the digital signature is based on a public key encryption algorithm, the generator, 114 also takes as inputs a private key 128, corresponding to the identity of the distribution management system for the particular instance or series of instances of the digital goods 102 and a public key 130. As a product of the signature generation process 114, a second private key, which is used to form the basis of a separate digital license 132, is also generated. Finally, the binary signature string produced by the digital signal generator is then written to the signature field of the digital goods file 102. At this point, the completed instance of the digital goods file 102 is ready for electronic transport to an end-user/consumer.

A preferred process 140 of providing for the distribution of the digital goods file 102 is shown in Figure 3A. A fully prepared instance of the digital goods file 102 is passed through the distributor site 14 by the Internet distribution control system 12 to the Internet 142 as part of a conventional HTTP transaction. The destination of the digital goods file 102 is generally any content store/player that is designated by the consumer and that is available to participate, directly or indirectly, in the HTTP transaction. Suitable content store/players include multi-media equipped personal computers 144, digital content audio players 146, and other digital audio/visual players and digital appliances 148, such as digital personal assistants (PDAs) and digital books that can store and present digital information. The actual HTTP transfer of the digital goods file 102 is preferably performed using SSL to ensure that the transfer of the digital goods file 102 and, separately, the digital license file 132 are both delivered to the consumer without interception by any third party.

This process of distribution 140 may be simplifie by providing for the actual digital goods file 102 to be prepared and delivered to a consumer separate from the delivery of the digital license 132. Specifically, different Internet and non-Internet delivery mechanisms may be employed to deliverthe digital goods file 102. For example, a physical compact disk containing any number of different digital goods files 102 may be shipped or otherwise delivered into the possession of a consumer, potentially as part of a promotion. Digital goods files 102 may also be pre-installed in a newly purchased multi-media computer system. The digital goods files 102 may also be provided on software CD-ROMS that are purchased by consumers purely for the software program content. Alternately, the digital goods file 102 may be streamed over the Internet to the consumer. As part of a digital stream, the digital goods file 102 is only transiently stored by the consumer.

In all of these cases, the absence of a valid digital license precludes the content of the digital goods file 102 from being accessed or limited to a short preview of the content.

A generalized digital content store/player 150 is shown in Figure 3B.

The content store/player 150, in accordance with a preferred embodiment of the present invention, includes a microprocessor 152 is capable of being uniquely identified, such as by the presence of a hardware identifier (ulD) 154, and a storage system 156, at least logically local to the microprocessor 152, that is capable of storing some number of digital goods files 102 and the corresponding digital licenses 132. The player 150 also preferably includes some combination of audio stream renderers, such as hardware audio decoders 158, and speakers 160, video stream renders, such as hardware video display controller 162, and display system 164, depending on the intended use of the player 150. In addition, other stream data renderers 166 and corresponding presentation units 168 may be provided. These addition renderers may provide for the presentation of other sensor data, such as force feedback in games, and sub-sonic vibrations and environmental lighting modulation in conjunction with, for example, live concert recordings and action movies.

The microprocessor 152 preferably executes an application program that implements the software processes 170 that provide for the processing of the digital goods file 102. Specifically, the software processes 170 provide an XML object server 172 that supports accesses by an XML parser 174 to select and retrieve the constituent parts of the digital goods file 102. In the preferred embodiment of the present invention, the XML object server 172 provides the bridging functionality of an essentially conventional XML parser at the core of the parser process 174 to be able to access the object locators block 122 as corresponding XML references are parsed from the XML document 120. Thus, the XML object server performs a redirection function as needed to support the XML parser 174. All of the component parts of the digital goods file 102 are therefore made available to the software processes 170 under the organization of the XML document 120.

Preferablythen, the software processes 170, following from the parsing of the XML document 120 provide for the processing of the digital content 104, binary content 108, and textual content 110, present in the digital goods file 102. As needed, the software processes 170 invoke HTML parsers 176, audio decoders 178, and video/binary image decoders 180 to process the content 104,108,110 to a level suitable for presentation to the hardware renderers 158,162,166. Additionally, the software processes 170 can recognize and, as appropriate, utilize audio and video plug-ins 182,184 to further process the content 104,108,110 prior to being passed to the renderers 158,162,166. These software plug-ins 182,184 may be independently or separately introduced into the player 150.

Alternately, the plug-ins 182,184 may be provided as part of the binary content of the digital goods 102. In this case, the XML document 120 will identify the specific objects within the binary content 108 that are the plug- ins and permit the software processes 170 to appropriately load these objects into the execution memory space of the microprocessor 152. Once loaded, the microprocessor 152 preferably operates to initialize the plug-ins 182,184 into the software environment of the software processes 170.

The preferred architecture 190 of the Internet distribution control system 12 is shown in greater detail in Figure 4 as including a secure server system

192, a set of user interfaces 194, and a secure business-to-business interface 196 to a financial service provider. The secure server system 192 may make use any of the many different commercial e-commerce server systems that are now widely available through established vendors or provided by hosting services. In a preferred embodiment of the present invention, the secure server system 192 includes a scalable internet server 198 using Microsoft IIS, hosted on a WindowsNT OS server and Intel Pentium 1118 platform provided behind a conventional Internet firewall that provides the network secure environment of the secure server system 192. The internet server 198 may host and execute an instance of the Internet firewall application.

The internet server 198 is preferably used to process Internet transactions related to the authentication, digital goods selection, card redemption accounting, and digital goods electronic transfer fulfillment. A database server 200 is preferably provided to support database access against an accounts database 202 used to store the card account and related information. For a preferred embodiment of the present invention, Table III lists the general account information stored by the accounts database 202.

Table III-Account Information Account InformationAccountInformationDescription SponsorID:Informationidentifyingthesponsorandsponsorprogram. SeriesAnalpha-numericidentifierofasetofcardsassociatedwith Number:aparticularpromotion,sponsoredevent,subscription,etc. CardKey:Auniquenumberidentifyingthecard. PIN:Anidentificationnumberusabletoverifytheauthenticityof theCardKey. RedemptionIdentificationoftheprofileorprofilesthatcanbeevalu ated Profile:indeterminingwhetheranyparticularuseofthecardis allowable. Initially, onlyasingle profileisrecognized. CurrentIdentificationofthecurrentmonetaryvalueofthecard Value:againsteachoftheavailable profilesforthiscard. <BR> <P>Table III-Account Information Account InformationAccountInformation Description ExpirationApromotionalofferoruseterminationdateforthisaccoun t Date:relativetoeachoftheavailable profilesforthiscard. TotalUses:Thecurrenttotalsubscriptionusesorredemptionsforeac h oftheavailable profileforthiscard.

The accounts database 202 is also preferably used to store the account related profile information. A summary of the profile information stored in the database 202 is provided in Table IV. The account information and profile information is thus available to the internet server 198 in determining the authentication and authorization status for any particular redemption request received.

Table IV-Profile Information Account InformationAccountInformation Description SponsorInformationidentifyingthesponsorandsponsorprogram. ID: CardSeriesAnalpha-numericidentifierofasetofcardsassociatedwi th Number:aparticularpromotion,sponsoredevent,subscription,etc. Profile ID:Anidentifierofaparticularpromotion,sponsorship, subscriptionorotherprofilebasisallowingfortheuseofany authenticatedcardsfortheredemptionofallowable digital goods. BusinessAsetofbusinessrulesandrequirementsdefiningthe Rules:allowableusesofacardwithrespecttothisprofile.

A content store 204 is also preferably provided as a repository for the digital content that is to be distributed by the server system 192. Thus, as redemption requests are approved for fulfillment, the database server 200 is

preferably utilized to obtain the requested content from the content store 204.

An internet server 206 may be provided to separately support administration functions necessary to maintain and obtain reports from the secure server system 192. The internet server 206 may be implemented utilizing essentiallythe same software and hard ward components as the server 198.

A key management server 208, key database server 210, and key database 212 is also preferably provided in the secure server system 192. This key control subsystem 208,210,212 operates to produce and manage the secure storage of at least the private encryption keys that are used in the digital signing and licensing of the digital goods electronically transferred out of the secure server system 192. The key management server 208 is responsible for generating the private keys, which then can be stored through the database server 210 by the key database 212. These generated keys can then be provided on a transactional or as needed basis through the database server 200 for storage, directly or indirectly, against the account records in the accounts database 202. A key management and control user interface 214 is preferably provided within the secure server system 192 to operate, as needed, the key management server 208.

In a preferred embodiment of the present invention, the secure server system 192 is used to support Web sites that are public, as in the case of the retail Web site 220, and that are protected, such as the remote administration Web site 224, which can be used to support secure sites 196, such as the card recharge site 226. The retail site 220 supports a conventional Web page type user interface 228 that allows for the selection and ordering of digital goods.

The information collecte regarding the consumer, including the aggregation vehicle information, and the digital goods selections requested by the consumer are preferably submitted through a HTTP transaction gateway 230 to the internet server 198 of the secure server system 192.

Administration functions are preferably performed through the administration site 224, which operates a HTTP gateway 232 to the internet server206 used to support the externally allowed management, maintenance, and control aspects of the secure server system 192. Interaction with the

administration Web site 224 is supported through a conventional Web page type user interface 234.

In accordance with a preferred embodiment of the present invention, the recharging of the aggregation vehicles is permitted though the use of the secure recharge site 196. For example, a consumer may be permitted by the profile associated with a card to add monetary value to the card. Thus, from the retail site 220, the consumer is permitted to access the secure site 226 and perform a supported HTTP transaction through a financial services gateway 236 with a third party financial services provider (FSP) 238. This transaction is typically a credit card charge transaction. On completion of the credit card charge transaction, another HTTP transaction through the financial service gateway 236, directly or as shown indirectly, communicates updated account information to the administration internet server 206. Corresponding account records in the accounts database 202 can then be updated as appropriate to reflect an increased account value for the corresponding aggregation vehicle.

Promoters and other parties provided with suitable access rights to the administration site 224 can also directly affect the account and profile records stored by the accounts database 202. Promotional values, new profile rules, extensions of expiration dates, and other aspects of the promotion, sponsorship, subscription, or other programs being run through the secure system 192 are available to be modified. Limitations and constraints on these modifications may be readily established as part of the defined relationship between the entities, such as promoters, and the operators of the secure server system 192.

A preferred process 250 of authentication and electronic transfer of digital goods is shown in Figure 5. The process 250 is initiated in response to the submission 252 of a redemption request. This request preferably includes a key, PIN, a selection (SKU#), and a selection corresponding redemption value. Other data submitted may include a transaction identifier, and a consumer supplied message or identifier. An account lookup 254 is then performed. Where the key is not found, a notification message 258 can be returned to the consumer. If the PIN is determined 260 to be incorrect, an

analysis 264 of the number of PIN failures and frequency of failure may be performed to determine whether a fraudulent use is being attempted. Where fraud is reasonably suspected based on the analysis 264, the account, as represented by the card, may be deactivated 266. Otherwise, an appropriate notification message may be provided to the consumer.

If the card corresponding account lacks sufficient funds 268, the consumer may be so notified 270. In addition, if permitted by the corresponding account profile, the notification may provide the consumer with an option to recharge the account. The active status of the promotion, subscription, or other activity represented by a card 272 is then checked. If the status is determined to be inactive, a corresponding error notification 274 is provided to the consumer. Similarly, the expiration date of the particular account, as represented by the card, is then checked 276. If the card has expired, which may be promotional mechanism used to require the consumer to revisit some retail site or store to have the expiration date modified, a corresponding message 278 is generated and provided to the consumer.

Once the account as represented by a particular card has been authenticated and authorized for redemption of the value of the specified digital goods, a transaction against the relevant account record is begun 280.

In a preferred embodiment of the present invention, a header record for the transaction is initially written to the accounts database 202. On any failure of the header record write, the transaction is terminated and a corresponding message 284 is provided to the consumer. Preferably, in sequence, a line item record 286 and an updated account balance 288 is written to the accounts database 202. Again, any failure in writing this information to the accounts database 202 results in the transaction termination and a corresponding message 284 being provided to the consumer.

In a preferred embodiment of the present invention, an electronic licensing and transfer package is used to control the actual electronic delivery of the digital goods to the consumer. The presently used package is available under the product name Ziplock Server"", which is also available under license from Preview Systems, Inc., Cupertino, California. Thus, after the accounts database 202 is updated with the new account balance 288, a corresponding

authorization code is generated and used as the basis for initiating the transfer of the digital goods 290. The digital license is then also transferred 292.

Since the transfer package operates as an independent server application to manage the actual transfers of the digital goods and license, the process 250 is considered complete 294 once the transfer package has accepted the authorization code.

An enhanced security operation for the process 250 is shown in greater detail in Figure 6. The enhanced security process 300 may be invoked in the process 250 in place of or in addition to the analysis step 264. Alternately, any security check 302 may be performed initially, as shown. On failure 304, the failure history of the particular account, series of cards, or related set of promotion profiles are checked 308 for patterns of mis-use. For example, rate of failures, or failure velocity, may be analyzed 310 to determine whether an organized attack is being made to fraudulently authenticate an account that then can be used to improperly obtain access to some digital goods. In this case, various threshold criteria can be applied to detect patterns and determine whether any velocity limit has been exceeded 312. If a limit is exceeded, the account is deactivated 314 and the consumer notified accordingly 316. Otherwise, where either no security failure is noted 304 or a limit is not exceeded 312, a security record is written 306 in the accounts database 202, directly or indirectly, so as to permit subsequent evaluation against the account, series of cards, or related set of promotion profiles considered by the security check 302.

The authentication and electronic transfer of digital goods process 250 preferably operates anonymously with respect to the actual consumer using any particular aggregation vehicle. Specifically, the authentication is performed against a particular card, not against the particular holder of the card. As generally shown in Figure 7, the process 250, however, may selectively operate to request or require a registration or user identification before authentication is completed. Whether a registration request is presented to a consumer may be based on the profile associated with the particular account identified for use by a consumer. Thus, in some sequence with the active 272, expired 274, or other steps that involve the evaluation of

the account profile, a determination 320 of whether registration is requested or required can be made. A further determination 322 of whether the registration has already occurred can then be made. If registration information has not already been received, the required or requested information can be obtained 324 upon presentation of appropriate Web page forms. Information so obtained, is then preferably written, directly or indirectly, to the accounts database 202 at least for purposes of subsequent examination in the process of authenticating and authorizing redemptions against the corresponding account. Similarly, a usage history 328 may be written to collect other reportable information in regard to the actions taken with respect to the identified account.

Figure 8 shows a further modification and enhancement of the authentication and electronic transfer of digital goods process 250. A flexible focus limitation process 340 may be incorporated within the process 250 generally in some sequence with the active 272, expired 274, or other steps that involve the evaluation of the account profile being authenticated. Thus, a determination 342 can be made from the account or related account profile as to whether any focus limitation needs to be considered. Where some focus limitation needs to be considered for enforcement, the identified limitations are considered either sequentially or on some order or as part of a decision hierarchy determined by the corresponding account profile. This latter case allows for simple to quite complex"bonus-level,""rebate,"and"incentive program"structures to be defined and directly enforced as part of the general authentication process 250.

As shown in Figure 8, an ordered linear sequence of focus limitations can be iteratively examined and thereby used to constrain a particular redemption selection. These limitations, which are exemplary, include a "parental"or specific title inclusion/exclusion, limitation 344, a promotion limitation that may be specific to the number of digital goods available 346, a content limitation that may be specific to a particular artist, genre, label, or studio 348, and any other definable limitation 350 capable of being evaluated as a business rule. As each limitation is identified, a determination can then be made 354 as to whether the selected digital goods acceptably falls within

the focus limitation. A failure of a selection to conform to a focus limitation preferably results in a corresponding notification 356 being generated and provided to the consumer. The corresponding selection is then removed or dropped 358. The selection process, iterating through the determination 342 of whether any remaining focus limitations remain to be considered, then continues. Where a selection is finally determined to be within the defined focus limitation restrictions 344,346,348,354, the selected digital goods are prepared 360 and transferred 362 to the consumer.

Thus, a system for providing for the trusted channel distribution of digital goods utilizing a network communications system, such as the Internet, has been described.

In view of the above description of the preferred embodiments of the present invention, many modifications and variations of the disclosed embodiments will be readily appreciated by those of skill in the art. It is therefore to be understood that, within the scope of the appended claims, the invention may be practiced otherwise than as specifically described above.