Remote access of digital identities

US 8,689,296 B2
Filed: 12/07/2007
Issued: 04/01/2014
Est. Priority Date: 01/26/2007
Status: Active Grant

First Claim

Patent Images

1. A method for controlling distribution of a digital identity representation, comprising the steps of:

receiving at a first device a request from a second device to obtain the digital identity representation, wherein the request includes a timestamp based on a timing mechanism of the second device;

determining, at the first device, whether to accept the request;

when the request is accepted, generating, by the first device, the digital identity representation, further including, in the absence of a first device timing mechanism, relying on the timestamp to encode a time-based use restriction into the digital identity representation;

providing, by the first device, the digital identity representation to the second device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for controlling distribution and use of digital identity representations (“DIRs”) increases security, usability, and oversight of DIR use. A DIR stored on a first device may be obtained by a second device for use in satisfying the security policy of a relying party. Release of the DIR to the second device requires permission from a device or entity that may be different from the device or entity attempting to access the relying party. Further, the use of the DIR to obtain an identity token may separately require permission of even a different person or entity and may be conditioned upon receiving satisfactory information relating to the intended use of the DIR (e.g., the name of the relying party, type of operation being attempted, etc.). By controlling the distribution and use of DIRs, security of the principal'"'"'s identity and supervisory control over a principal'"'"'s activities are enhanced.

Citations

20 Claims

1. A method for controlling distribution of a digital identity representation, comprising the steps of:
- receiving at a first device a request from a second device to obtain the digital identity representation, wherein the request includes a timestamp based on a timing mechanism of the second device;
  
  determining, at the first device, whether to accept the request;
  
  when the request is accepted, generating, by the first device, the digital identity representation, further including, in the absence of a first device timing mechanism, relying on the timestamp to encode a time-based use restriction into the digital identity representation;
  
  providing, by the first device, the digital identity representation to the second device.
- View Dependent Claims (2, 3, 4, 5, 6, 16, 17)
- - 2. The method of claim 1, wherein the digital identity representation includes metadata describing at least a first claim about a principal.
  - 3. The method of claim 2, wherein the digital identity representation further includes backing data comprising the first claim.
  - 4. The method of claim 2, wherein the principal is a user of the first device.
  - 5. The method of claim 1, wherein, prior to the request, the digital identity representation is stored at the first device and includes internal address information pointing to an identity provider included in the first device, further comprising the step of:
    - changing the internal address information to an externally accessible address of the first device.
  - 6. The method of claim 1, further comprising the steps of:
    - receiving a second request to use the digital identity representation, wherein the second request is different from the first request;
      
      determining at the first device whether to accept the second request;
      
      providing, when the second request is accepted, permission to use the digital identity representation.
  - 16. The method of claim 1, further comprising:
    - requesting from the second device information related to the use of the digital identity representation; and
      
      receiving the information from the second device.
  - 17. The method of claim 1, wherein the digital identity representation includes a non time-based use restriction that further includes an address of a third device from which the permission to use the digital identity representation must be obtained.

7. A method of using a digital identity representation, comprising the steps of:
- receiving a token request for an identity token from a relying party;
  
  sending to a first device a first request from a second device to obtain the digital identity representation, wherein the first request includes a timestamp and a time-based use restriction request;
  
  receiving at the second device the digital identity representation, wherein the digital identity representation includes metadata describing at least a first claim about a principal, and wherein the digital identity representation includes the time-based use restriction for the digital identity representation that is based on the time-based use restriction request and the timestamp in the first request;
  
  after receiving the digital identity representation, sending from the second device a second request to use the digital identity representation;
  
  receiving at the second device permission to use the digital identity representation;
  
  using the digital identity representation to request the identity token;
  
  receiving the identity token; and
  
  providing the identity token to the relying party.
- View Dependent Claims (8, 9, 10, 18, 19)
- - 8. The method of claim 7, wherein the second request to use the digital identity representation is sent to a third device that is different from the first and second devices.
  - 9. The method of claim 7, wherein the second request to use the digital identity representation is sent to a device that is controlled by a person other than the principal.
  - 10. The method of claim 7, wherein the second request to use the digital identity information includes information identifying the relying party.
  - 18. The method of claim 7, further comprising:
    - receiving a request from the first device for information related to the use of the digital identity representation; and
      
      sending the information to the first device.
  - 19. The method of claim 7, wherein the digital identity representation includes a non time-based use restriction that further includes an address of a third device from which the permission to use the digital identity representation must be obtained.

11. A method of using a digital identity representation provided by a first device to a second device, the method comprising:
- requesting, by the second device, access to a relying party;
  
  receiving, at the second device, a security policy from the relying party;
  
  sending, to the first device, a first request from the second device to obtain the digital identity representation, wherein the first request includes a timestamp, and a time-based use restriction request;
  
  receiving, at the second device, the digital identity representation, wherein the digital identity representation;
  
  includes a time-based use restriction for the digital identity representation that is based on the time-based use restriction request and the timestamp in the first request;
  
  includes metadata describing at least a first claim about a principal; and
  
  identifies an identity provider;
  
  requesting an identity token from the identity provider, wherein the step of requesting includes using the digital identity representation; and
  
  using the identity token to satisfy at least a portion of the security policy, wherein the first device is different from each of the second device, the identity provider, and the relying party.
- View Dependent Claims (12, 13, 14, 15, 20)
- - 12. The method of claim 11, further comprising:
    - sending, by the second device, a second request for permission to use the digital identity representation; and
      
      receiving, at the second device, permission to use the digital identity representation prior to the step of requesting the identity token.
  - 13. The method of claim 12, wherein the second request is sent by the second device to a third device that is different from the first device.
  - 14. The method of claim 11, wherein the security policy received from the relying party identifies the identity provider.
  - 15. The method of claim 12, wherein the second request includes information identifying the relying party.
  - 20. The method of claim 11, wherein the digital identity representation further includes backing data comprising the first claim.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shewchuk, John, Cameron, Kim, Nanda, Arun, Xie, Xiao
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US11/952,890
Publication Number

US 20080184339A1
Time in Patent Office

2,307 Days
Field of Search

726 2- 5, 726/1, 726/6, 726/7, 726/9, 713/170, 713/173, 713/178
US Class Current

726/6
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

Remote access of digital identities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Remote access of digital identities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links