Browse Prior Art Database

Authentication insfrastructure extentions to support Anonymous Credential

IP.com Disclosure Number: IPCOM000206843D
Publication Date: 2011-May-10
Document File: 3 page(s) / 82K

Publishing Venue

The IP.com Prior Art Database

Abstract

The more services that are provided through Web transactions grow, the more cases that require user attributes (that does not have to be the user identity itself) to be presented to such services increase.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 35% of the total text.

Page 01 of 3

Authentication insfrastructure extentions to support Anonymous Credential

When a web site is to identify a user, the web site authenticates with the user's user ID and password in a generic authentication process. As described above, the information associated with his/her age will be retrieved from the user registry and compared with the age condition that needs to meet to confirm the validity. However, to realize the framework to minimize the information to be provided to the service provider, the following two methods are used with this disclosure:

1. Using the existing federation technologies such as OpenID and SAML, set up an Identity Provider for authentication initiation and a Service Provider to consume and federate the credential. By doing this, such an authentication mechanism can be separately equipped from the application logic and the minimum private data can only be securely passed to the systems.
2. Without using the existing authentication mechanism, build an authentication server to endorse user information validity as appropriate and implement the capability that users can access the authentication server through Web browsers when needed.

Method 1 can be realized utilizing existing IBM products today and method 2 is newly introduced with this disclosure. Either method uses data sent from the authentication servers but personal identifiable data is not passed to the service providers. However the service providers receive required user attributes such as user ages that are verified and endorsed by the authentication servers. Method 2 has some more advantages from privacy information protection design view point compared to method 1.

Similar ideas are publically disclosed already as the following examples:

http://research.microsoft.com/en-us/projects/creds/ http://en.wikipedia.org/wiki/Digital_credential#Anonymous_digital_credentials http://people.w3.org/~dsr/blog/?p=95 http://dud.inf.tu-dresden.de/~ben/kellermann_scholz09_anonymous_credentials_in_web_applications.pdf

This disclosure has the following advantages. 1 and 2 are based on the existing technologies and 3 and 4 are the advantages of using the authentication server.

1. With this disclosure, servers for the service provider and for the authentication are separated utilizing federation framework. By taking this arrangement, an authentication service is provided from a third party organization and functions for proofing the age. A service provider can then only receive the information of user age. An example of this use case is a tabaco bending machine. By presenting Tabaco ID card, the user can only provide the information of being over 20 years of age and no other personal identifiable information is not disclosed. Such functional separation model will be a significant advantage for privacy information management especially in cloud computing based services.
2. The existing implementations do not clearly define what type of information is hidden and what typ...