Interoperable systems and methods for peer-to-peer service orchestration

What is claimed is: 1. A method of accessing content according to a DRM policy using a device, comprising: operating, by the device, a DRM engine and a cryptographic services module; receiving, by the device, an encrypted content item, a first link object signed by a link object key, and a certificate comprising a constraint program for validating the link object key, wherein the first link object references a first object and a second object ; authorizing, by the device, access to the encrypted content item using the DRM engine and the cryptographic services module, authorization comprising: determining an authorization of the link object key to sign the first link object using the DRM engine by executing the constraint program using at least one of first attributes of the first object and second attributes of the second object, and based on the execution of the constraint program, determining satisfaction of usage conditions for the link object key; based on the determined authorization of the link object key to sign the first link object, verifying the certificate using the cryptographic services module; based on the verification of the certificate, constructing an authorization graph by processing two or more link objects including the first link object using the DRM engine; querying the authorization graph using the DRM engine; and based on a result of querying the authorization graph, authorizing access to the encrypted content item using the DRM engine; and based on the access authorization, decrypting, by the device, the encrypted content item and accessing, by the device, the content item. 2. The method of claim 1 , wherein querying the authorization graph comprises executing a control program and determining by the control program an existence of a first path from a first path node to a second path node. 3. The method of claim 2 , wherein querying the authorization graph further comprises determining by the control program an existence of a second path from a third path node to a fourth path node. 4. The method of claim 3 , wherein the first path node and the third path node are distinct. 5. The method of claim 2 , wherein the control program comprises byte code. 6. The method of claim 1 , wherein the first link object represents one or more of an ownership relationship and a membership relationship. 7. The method of claim 1 , wherein the DRM engine of the device and the cryptographic services module of the device communicate indirectly using a host services module of the device. 8. A system for accessing content according to a DRM policy, comprising: at least one processor; and at least one non-transitory computer-readable medium containing instructions that when executed by the at least one processor cause the at least one processor to perform operations including: operating a DRM engine and a cryptographic services module; receiving an encrypted content item, a first link object signed by a link object key, and a certificate comprising a constraint program for validating the link object key, wherein the first link object references a first object and a second object; authorizing access to the encrypted content item using the DRM engine and the cryptographic services module, authorization comprising: determining an authorization of the link object key to sign the first link object using the DRM engine by executing the constraint program using at least one of first attributes of the first object and second attributes of the second object, and based on the execution of the constraint program, determining satisfaction of usage conditions for the link object key; based on the determined authorization of the link object key to sign the first link object, verifying the certificate using the cryptographic services module; based on the verification of the certificate, constructing an authorization graph by processing two or more link objects including the first link object using the DRM engine; querying the authorization graph using the DRM engine; and based on a result of querying the authorization graph, authorizing access to the encrypted content item using the DRM engine; and based on the access authorization, decrypting the encrypted content item and accessing the content item. 9. The system of claim 8 , wherein querying the authorization graph comprises executing a control program and determining by the control program an existence of a first path from a first path node to a second path node. 10. The system of claim 9 , wherein querying the authorization graph further comprises determining by the control program an existence of a second path from a third path node to a fourth path node, wherein the first path node and the third path node are distinct. 11. The system of claim 9 , wherein the control program comprises byte code. 12. A non-transitory computer readable medium containing instructions that when executed by at least one processor cause the at least one processor to perform operations for accessing content according to a DRM policy, comprising: operating a DRM engine and a cryptographic services module; receiving an encrypted content item, a first link object signed by a link object key, and a certificate comprising a constraint program for validating the link object key, wherein the first link object references a first object and a second object; authorizing access to the encrypted content item using the DRM engine and the cryptographic services module, authorization comprising: determining an authorization of the link object key to sign the first link object using the DRM engine by executing the constraint program using at least one of first attributes of the first object and second attributes of the second object, and based on the execution of the constraint program, determining satisfaction of usage conditions for the link object key; based on the determined authorization of the link object key to sign the first link object, verifying the certificate using the cryptographic services module; based on the verification of the certificate, constructing an authorization graph by processing two or more link objects including the first link object using the DRM engine; querying the authorization graph using the DRM engine; and based on a result of querying the authorization graph, authorizing access to the encrypted content item using the DRM engine; and based on the access authorization, decrypting the encrypted content item and accessing the content item. 13. The computer readable medium of claim 12 , wherein querying the authorization graph comprises executing a control program and determining by the control program an existence of a first path from a first path node to a second path node. 14. The computer readable medium of claim 13 , wherein querying the authorization graph further comprises determining by the control program an existence of a second path from a third path node to a fourth path node, wherein the first path node and the third path node are distinct.