PERFORMING A BUSINESS TRANSACTION WITHOUT DISCLOSING SENSITIVE IDENTITY INFORMATION TO A RELYING PARTY

US 20080229410A1
Filed: 08/22/2007
Published: 09/18/2008
Est. Priority Date: 03/16/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a machine (105);

a card selector (205) on the machine (105) to receive a selection of an information card (220) from a user;

a receiver (210) to receive a security policy (150) used in identifying said information card (220), said security policy (150) including elements of a transaction (305) from a relying party (130), a security token (160) responsive to said security policy (150) from an identity provider (135); and

a transmitter (215) to transmit said security policy (150) to said identity provider (135) and said security token (160) to said relying party (130), said security token (160) responsive to said security policy (150),wherein said security policy includes elements of a transaction (305) and said security token (160) is at least partially responsive to said elements of a transaction (305).

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user engages in a transaction with a relying party. The relying party requests identity information from the user in a security policy and identifies transaction elements for an on-line business transaction. Typically, the security policy and transaction elements are transmitted together; the security policy can be as little as a request to conduct the on-line business transaction. The user identifies an information card that satisfies the security policy. The computer system requests a security token from the identity provider managing the information card, which can include requesting a transaction receipt for the transaction elements. The computer system then returns the security token (and the transaction receipt) to the relying party, to complete the transaction.

Citations

37 Claims

1. An apparatus, comprising:
- a machine (105);
  
  a card selector (205) on the machine (105) to receive a selection of an information card (220) from a user;
  
  a receiver (210) to receive a security policy (150) used in identifying said information card (220), said security policy (150) including elements of a transaction (305) from a relying party (130), a security token (160) responsive to said security policy (150) from an identity provider (135); and
  
  a transmitter (215) to transmit said security policy (150) to said identity provider (135) and said security token (160) to said relying party (130), said security token (160) responsive to said security policy (150),wherein said security policy includes elements of a transaction (305) and said security token (160) is at least partially responsive to said elements of a transaction (305).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. An apparatus according to claim 1, wherein said information card (220) includes information that can complete said transaction.
  - 3. An apparatus according to claim 2, wherein the information that can complete said transaction includes an identifier of an account number (410).
  - 4. An apparatus according to claim 2, wherein said elements of said transaction (305) include at least one of a cost of said transaction (510) and an identifier of said relying party (130, 515).
  - 5. An apparatus according to claim 1, wherein said security policy further includes a request for said receipt (310).
  - 6. An apparatus according to claim 1, further comprising:
    - a card provider registry (1510) installed on the machine (105); and
      
      a set of pluggable card providers (1545, 1555, 1560) coupled to the card provider registry (1510), each of the set of pluggable card providers (1545, 1555, 1560) operative to access at least one pluggable card store (1515, 1520, 1525, 1530, 1535), each of said at least one pluggable card store (1515, 1520, 1525, 1530, 1535) including at least one information card (1715).
  - 7. An apparatus according to claim 6, wherein:
    - the card provider registry (1510) is operative to request and receive from each of the set of pluggable card providers (1545, 1555, 1560) a list of information cards in said at least one pluggable card store (1515, 1520, 1525, 1530, 1535); and
      
      each of the set of pluggable card providers (1545, 1555, 1560) is operative to enumerate the at least one information card (1715) in each of said at least one pluggable card store (1515, 1520, 1525, 1530, 1535).
  - 8. An apparatus according to claim 6, further comprising an authenticator (1705) to authenticate a request to access one of said at least one pluggable card stores (1515, 1520, 1525, 1530, 1535).
  - 9. An apparatus according to claim 6, further comprising means for registering (1635) a new pluggable card provider (1545, 1555, 1560) with the card provider registry (1510).
  - 10. An apparatus according to claim 6, further comprising means for deregistering (1635) one of said pluggable card stores (1515, 1520, 1525, 1530, 1535) from said machine (105).
  - 11. An apparatus according to claim 6, wherein the machine (105) includes at least one connector to connect said at least one pluggable card store (1515, 1520, 1525, 1530, 1535) to the machine (105).
  - 12. An apparatus according to claim 11, wherein at least one of the set of pluggable card providers (1545, 1555, 1560) is operative to add a new pluggable card store (1515, 1520, 1525, 1530, 1535) when said new pluggable card store (1515, 1520, 1525, 1530, 1535) is connected to the at least one connector.
  - 13. An apparatus according to claim 6, further comprising a receiver (210) is operative to receive a credential (1725) from a user to unlock at least one of said at least one pluggable card stores (1515, 1520, 1525, 1530, 1535).

14. A method for conducting a transaction with a relying party, comprising:
- identifying (605) elements of the transaction (305);
  
  receiving (610) a security policy (150) from the relying party (130), the security policy (150) including the elements of the transaction (305);
  
  receiving (615) an identifier of a selected information card (220) to conduct the transaction, the information card (220) satisfying the security policy (150);
  
  requesting (620) a security token (160) from an identity provider (135), providing the elements of the transaction (305) to the identity provider (135);
  
  receiving (625) the security token (160) from the identity provider (135); and
  
  transmitting (630) the security token (160) to the relying party (130).
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. A method according to claim 14, wherein:
    - receiving (625) the security token (160) from the identity provider (135) includes receiving a transaction receipt (310) from the identity provider (135); and
      
      transmitting (630) the security token (160) to the relying party (130) includes transmitting the transaction receipt (310) to the relying party (130).
  - 16. A method according to claim 14, wherein receiving (615) an identifier of a selected information card (220) to conduct the transaction includes receiving an identifier of a selected information card (220) including information that can complete the transaction.
  - 17. A method according to claim 16, wherein receiving an identifier of a selected information card (220) including information that can complete the transaction includes receiving an identifier of a selected information card (220) including an identifier of an account number (410).
  - 18. A method according to claim 14, wherein identifying (605) elements of the transaction (305) includes identifying (605) at least one of a cost for the transaction (510) and an identifier of the relying party (135, 515).
  - 19. A method according to claim 14, wherein receiving (610) a security policy (150) from the relying party (130) includes receiving a request for a transaction receipt (310) from the relying party (130).
  - 20. A method according to claim 14, wherein:
    - the method further comprises;
      
      identifying (1805) a pluggable card store (1515, 1520, 1525, 1530, 1535) that is available at a machine (105); and
      
      interfacing (1820) with the pluggable card store (1515, 1520, 1525, 1530, 1535) using a pluggable card provider (1545, 1555, 1560); and
      
      receiving (615) an identifier of a selected information card (220) to conduct the transaction includes receiving (1935) an identifier of an information card (220, 1715) in the pluggable card store (1515, 1520, 1525, 1530, 1535) from a user.
  - 21. A method according to claim 20, wherein interfacing (1820) with the pluggable card store (1515, 1520, 1525, 1530, 1535) includes unlocking (1830, 1835) the pluggable card store (1515, 1520, 1525, 1530, 1535).
  - 22. A method according to claim 21, wherein unlocking (1830, 1835) the pluggable card store (1515, 1520, 1525, 1530, 1535) includes:
    - receiving (1830) a credential (1725) from the user; and
      
      providing (1835) the credential (1725) to the pluggable card store (1515, 1520, 1525, 1530, 1535) to enable the pluggable card store (1515, 1520, 1525, 1530, 1535) to authenticate the user.
  - 23. A method according to claim 20, further comprising determining (2005) that the pluggable card store (1515, 1520, 1525, 1530, 1535) is no longer available at a machine (105).
  - 24. A method according to claim 23, further comprising unplugging (2015) the pluggable card provider (1545, 1555, 1560) from the card provider registry (1510).
  - 25. A method according to claim 20, further comprising plugging (1810, 1815) the pluggable card provider (1545, 1555, 1560) into the card provider registry (1510).

26. An article, comprising a storage medium, said storage medium having stored thereon instructions that, when executed by a machine, result in:
- identifying (605) elements of the transaction (305);
  
  receiving (610) a security policy (150) from the relying party (130), the security policy (150) including the elements of the transaction (305);
  
  receiving (615) an identifier of a selected information card (220) to conduct the transaction, the information card (220) satisfying the security policy (150);
  
  requesting (620) a security token (160) from an identity provider (135), providing the elements of the transaction (305) to the identity provider (135);
  
  receiving (625) the security token (160) from the identity provider (135); and
  
  transmitting (630) the security token (160) to the relying party (130).
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 27. An article according to claim 26, wherein:
    - receiving (625) the security token (160) from the identity provider (135) includes receiving a transaction receipt (310) from the identity provider (135); and
      
      transmitting (630) the security token (160) to the relying party (130) includes transmitting the transaction receipt (310) to the relying party (130).
  - 28. An article according to claim 26, wherein receiving (615) an identifier of a selected information card (220) to conduct the transaction includes receiving an identifier of a selected information card (220) including information that can complete the transaction.
  - 29. An article A method according to claim 28, wherein receiving an identifier of a selected information card (220) including information that can complete the transaction includes receiving an identifier of a selected information card (220) including an identifier of an account number (410).
  - 30. An article according to claim 26, wherein identifying (605) elements of the transaction (305) includes identifying (605) at least one of a cost for the transaction (510) and an identifier of the relying party (135, 515).
  - 31. An article according to claim 26, wherein receiving (610) a security policy (150) from the relying party (130) includes receiving a request for a transaction receipt (310) from the relying party (130).
  - 32. An article according to claim 26, wherein:
    - said storage medium has stored thereon further instructions that, when executed by the machine, result in;
      
      identifying (1805) a pluggable card store (1515, 1520, 1525, 1530, 1535) that is available at a machine (105); and
      
      interfacing (1820) with the pluggable card store (1515, 1520, 1525, 1530, 1535) using a pluggable card provider (1545, 1555, 1560); and
      
      receiving (615) an identifier of a selected information card (220) to conduct the transaction includes receiving (1935) an identifier of an information card (220, 1715) in the pluggable card store (1515, 1520, 1525, 1530, 1535) from a user
  - 33. An article according to claim 32, wherein interfacing (1820) with the pluggable card store (1515, 1520, 1525, 1530, 1535) includes unlocking (1830, 1835) the pluggable card store (1515, 1520, 1525, 1530, 1535).
  - 34. An article according to claim 33, wherein unlocking (1830, 1835) the pluggable card store (1515, 1520, 1525, 1530, 1535) includes:
    - receiving (1830) a credential (1725) from the user; and
      
      providing (1835) the credential (1725) to the pluggable card store (1515, 1520, 1525, 1530, 1535) to enable the pluggable card store (1515, 1520, 1525, 1530, 1535) to authenticate the user.
  - 35. An article according to claim 32, further comprising determining (2005) that the pluggable card store (1515, 1520, 1525, 1530, 1535) is no longer available at a machine (105).
  - 36. An article according to claim 35, further comprising unplugging (2015) the pluggable card provider (1545, 1555, 1560) from the card provider registry (1510).
  - 37. An article according to claim 32, wherein said storage medium has stored thereon further instructions that, when executed by the machine, result in plugging (1810, 1815) the pluggable card provider (1545, 1555, 1560) into the card provider registry (1510).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Sanders, Daniel S., Olds, Dale R., Felsted, Patrick R., Sermersheim, James G., Doman, Thomas E., Hodgkinson, Andrew A.

Granted Patent

US 8,073,783 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/20
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06Q 20/10   specially adapted for elect...

G06Q 20/367   involving electronic purses...

G06Q 20/382   insuring higher security of...

G06Q 20/40   Authorisation, e.g. identif...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

PERFORMING A BUSINESS TRANSACTION WITHOUT DISCLOSING SENSITIVE IDENTITY INFORMATION TO A RELYING PARTY

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

PERFORMING A BUSINESS TRANSACTION WITHOUT DISCLOSING SENSITIVE IDENTITY INFORMATION TO A RELYING PARTY

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links