InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Authentication insfrastructure extentions to support Anonymous Credential

IP.com Disclosure Number: IPCOM000206843D
Publication Date: 2011-May-10
Document File: 3 page(s) / 83K

Publishing Venue

The IP.com Prior Art Database


The more services that are provided through Web transactions grow, the more cases that require user attributes (that does not have to be the user identity itself) to be presented to such services increase. A typical example is that movie contents provider scenario via Internet. Movies have viewer classes such as PG-12, R-15, R-18 corresponding to the viewer ages. R-18 movies are advised not to be viewed by viewers below 18 years of age for example. To confirm the eligibility of such movies, the provider needs to confirm the viewer's age attributes but not the identity itself. Therefore, for the movie providers, it does not matter who the viewers are but does matter what the ages of the viewers are. For this purpose, viewers are not to be requested to present the identification. The practice of presenting the identification for this "age checking" is considered a possibly privacy issue. With this disclosure, viewers are to provide the sufficient minimum amount of private information to the service providers and the information can be anonymous and endorsed by the authentication server. By minimizing the privacy information to disclose, users are comfortable to use such services which have more opportunities to grow. Security aspect of the whole system will be improved by setting up a dedicated server system that controls attribute information.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 35% of the total text.

Page 01 of 3

Authentication insfrastructure extentions to support Anonymous Credential

When a web site is to identify a user, the web site authenticates with the user's user ID and password in a generic authentication process. As described above, the information associated with his/her age will be retrieved from the user registry and compared with the age condition that needs to meet to confirm the validity. However, to realize the framework to minimize the information to be provided to the service provider, the following two methods are used with this disclosure:

1. Using the existing federation technologies such as OpenID and SAML, set up an Identity Provider for authentication initiation and a Service Provider to consume and federate the credential. By doing this, such an authentication mechanism can be separately equipped from the application logic and the minimum private data can only be securely passed to the systems.
2. Without using the existing authentication mechanism, build an authentication server to endorse user information validity as appropriate and implement the capability that users can access the authentication server through Web browsers when needed.

Method 1 can be realized utilizing existing IBM products today and method 2 is newly introduced with this disclosure. Either method uses data sent from the authentication servers but personal identifiable data is not passed to the service providers. However the service providers receive required user attributes such as user ages that are verified and endorsed by the authentication servers. Method 2 has some more advantages from privacy information protection design view point compared to method 1.

Similar ideas are publically disclosed already as the following examples:

http://research.microsoft.com/en-us/projects/creds/ http://en.wikipedia.org/wiki/Digital_credential#Anonymous_digital_credentials http://people.w3.org/~dsr/blog/?p=95 http://dud.inf.tu-dresden.de/~ben/kellermann_scholz09_anonymous_credentials_in_web_applications.pdf

This disclosure has the following advantages. 1 and 2 are based on the existing technologies and 3 and 4 are the advantages of using the authentication server.

1. With this disclosure, servers for the service provider and for the authentication are separated utilizing federation framework. By taking this arrangement, an authentication service is provided from a third party organization and functions for proofing the age. A service provider can then only receive the information of user age. An example of this use case is a tabaco bending machine. By presenting Tabaco ID card, the user can only provide the information of being over 20 years of age and no other personal identifiable information is not disclosed. Such functional separation model will be a significant advantage for privacy information management especially in cloud computing based services.
2. The existing implementations do not clearly define what type of information is hidden and what typ...