Remote access of digital identities
First Claim
1. A method for controlling distribution of a digital identity representation, comprising the steps of:
- receiving at a first device a request from a second device to obtain the digital identity representation, wherein the request includes a timestamp based on a timing mechanism of the second device;
determining, at the first device, whether to accept the request;
when the request is accepted, generating, by the first device, the digital identity representation, further including, in the absence of a first device timing mechanism, relying on the timestamp to encode a time-based use restriction into the digital identity representation;
providing, by the first device, the digital identity representation to the second device.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for controlling distribution and use of digital identity representations (“DIRs”) increases security, usability, and oversight of DIR use. A DIR stored on a first device may be obtained by a second device for use in satisfying the security policy of a relying party. Release of the DIR to the second device requires permission from a device or entity that may be different from the device or entity attempting to access the relying party. Further, the use of the DIR to obtain an identity token may separately require permission of even a different person or entity and may be conditioned upon receiving satisfactory information relating to the intended use of the DIR (e.g., the name of the relying party, type of operation being attempted, etc.). By controlling the distribution and use of DIRs, security of the principal'"'"'s identity and supervisory control over a principal'"'"'s activities are enhanced.
-
Citations
20 Claims
-
1. A method for controlling distribution of a digital identity representation, comprising the steps of:
-
receiving at a first device a request from a second device to obtain the digital identity representation, wherein the request includes a timestamp based on a timing mechanism of the second device; determining, at the first device, whether to accept the request; when the request is accepted, generating, by the first device, the digital identity representation, further including, in the absence of a first device timing mechanism, relying on the timestamp to encode a time-based use restriction into the digital identity representation; providing, by the first device, the digital identity representation to the second device. - View Dependent Claims (2, 3, 4, 5, 6, 16, 17)
-
-
7. A method of using a digital identity representation, comprising the steps of:
-
receiving a token request for an identity token from a relying party; sending to a first device a first request from a second device to obtain the digital identity representation, wherein the first request includes a timestamp and a time-based use restriction request; receiving at the second device the digital identity representation, wherein the digital identity representation includes metadata describing at least a first claim about a principal, and wherein the digital identity representation includes the time-based use restriction for the digital identity representation that is based on the time-based use restriction request and the timestamp in the first request; after receiving the digital identity representation, sending from the second device a second request to use the digital identity representation; receiving at the second device permission to use the digital identity representation; using the digital identity representation to request the identity token; receiving the identity token; and providing the identity token to the relying party. - View Dependent Claims (8, 9, 10, 18, 19)
-
-
11. A method of using a digital identity representation provided by a first device to a second device, the method comprising:
-
requesting, by the second device, access to a relying party; receiving, at the second device, a security policy from the relying party; sending, to the first device, a first request from the second device to obtain the digital identity representation, wherein the first request includes a timestamp, and a time-based use restriction request; receiving, at the second device, the digital identity representation, wherein the digital identity representation; includes a time-based use restriction for the digital identity representation that is based on the time-based use restriction request and the timestamp in the first request; includes metadata describing at least a first claim about a principal; and
identifies an identity provider;requesting an identity token from the identity provider, wherein the step of requesting includes using the digital identity representation; and using the identity token to satisfy at least a portion of the security policy, wherein the first device is different from each of the second device, the identity provider, and the relying party. - View Dependent Claims (12, 13, 14, 15, 20)
-
Specification