System and method for pool-based identity generation and use for service access

US 8,893,242 B2
Filed: 04/29/2008
Issued: 11/18/2014
Est. Priority Date: 04/29/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a service consumer from an identification authority, a non-portable identity document associated with the service consumer, the identity document including signed assertions corresponding to independently verifiable data of the service consumer, the independently verifiable data including an IP address of the service consumer, the identity document being bound to the IP address of the service consumer, and the signed assertions being compatible with a security assertion markup language;

generating, by use of a processor of the service consumer, a request for credentials including at least a portion of the content of the identity document, the portion including an assertion corresponding to the IP address;

sending the request for credentials from the service consumer to an authentication authority; and

based on a match between the IP address corresponding to the assertion included in the sent portion of the content of the identity document and an IP address retrieved by the authentication authority based on the request but independently from the identity document, receiving credentials from the authentication authority by the service consumer; and

sending the received credentials along with a request for service from the service consumer to a service provider.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method for pool-based identity generation and use for service access is disclosed. The method in an example embodiment includes seeding an identity generator with a private key; retrieving independently verifiable data corresponding to a service consumer; using the independently verifiable data to create signed assertions corresponding to the service consumer; generating a non-portable identity document associated with the service consumer, the identity document including the signed assertions; signing the identity document with the private key; and conveying the signed identity document to the service consumer via a secure link.

26 Citations

View as Search Results

9 Claims

1. A method comprising:
- receiving, by a service consumer from an identification authority, a non-portable identity document associated with the service consumer, the identity document including signed assertions corresponding to independently verifiable data of the service consumer, the independently verifiable data including an IP address of the service consumer, the identity document being bound to the IP address of the service consumer, and the signed assertions being compatible with a security assertion markup language;
  
  generating, by use of a processor of the service consumer, a request for credentials including at least a portion of the content of the identity document, the portion including an assertion corresponding to the IP address;
  
  sending the request for credentials from the service consumer to an authentication authority; and
  
  based on a match between the IP address corresponding to the assertion included in the sent portion of the content of the identity document and an IP address retrieved by the authentication authority based on the request but independently from the identity document, receiving credentials from the authentication authority by the service consumer; and
  
  sending the received credentials along with a request for service from the service consumer to a service provider.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising:
    - seeding the identification authority with a private key;
      
      sending independently verifiable data corresponding to the service consumer to the identification authority, the independently verifiable data including an IP address of the service consumer; and
      
      at the identification authority, (i) using the independently verifiable data to create signed assertions corresponding to the service consumer, (ii) generating, by use of a processor, a non-portable identity document associated with the service consumer,the identity document including the signed assertions, the identity document being bound to the IP address of the service consumer, and (iii) signing the identity document with the private key.
  - 3. The method as claimed in claim 2 wherein the identity document is stored by the service consumer.

4. A method comprising:
- receiving, by an authentication authority, a request for credentials from a service consumer, the request for credentials including at least a portion of the content of a non-portable identity document associated with the service consumer and received by the service consumer from an identification authority, the identity document portion including signed assertions corresponding to independently verifiable data of the service consumer, the independently verifiable data including an IP address of the service consumer, the identity document being bound to the IP address of the service consumer, and the signed assertions being compatible with a security assertion markup language;
  
  retrieving, by the authentication authority, the IP address of the service consumer based on the request, independently from the identity document;
  
  comparing, by the authentication authority, the IP address corresponding to an assertions included in the received portion of the content of the identity document associated with the service consumer against the IP address retrieved independently therefrom;
  
  generating, by use of a processor of the authentication authority, credentials for the service consumer based on a match between the IP address corresponding to an assertion included in the received portion of the content of the identity document and the IP address retrieved independently therefrom; and
  
  sending the generated credentials from the authentication authority to the service consumer for providing the credentials along with a request for service to a service provider.
- View Dependent Claims (5)
- - 5. The method of claim 4, wherein the IP address is retrieved, independently from the identity document, from a TCP socket header associated with the request or by extracting a value inserted by a virtual IP address forwarding processor.

6. A method comprising:
- retrieving, by a service consumer, a credential associated with the service consumer from an authentication authority, the credential including signed assertions corresponding to independently verifiable data of the service consumer, the independently verifiable data including an IP address of the service consumer, the credential being bound to the IP address of the service consumer, and the signed assertions being compatible with a security assertion markup language;
  
  generating, by use of a processor of the service consumer, a request for service including at least a portion of the content of the credential, the portion including an assertion corresponding to the IP address;
  
  sending the request for service from the service consumer to a service provider; and
  
  based on a match between the IP address corresponding to the assertion included in the sent portion of the content of the credential and an IP address retrieved by the service provider based on the request but independently from the credential, receiving a message from the service provider indicating that the requested service can be provided.
- View Dependent Claims (7)
- - 7. The method as claimed in claim 6 wherein the service provider checks access control data for a requested service and the service consumer via an authorization service.

8. A system comprising:
- a processor;
  
  a memory coupled to the processor to store information related to credentials for a service consumer;
  
  a credential request receiver to receive a request for credentials from a service consumer, the request for credentials including at least a portion of the content of a non-portable identity document associated with the service consumer and received by the service consumer from an identification authority, the identity document including signed assertions corresponding to independently verifiable data of the service consumer, the signed assertions being compatible with a security assertion markup language, the credential request receiver further to retrieve, based on the request for credentials but independently from the identity document, an IP address of the service consumer, and to compare the IP address corresponding to an assertions included in the portion of the content of the identity document associated with the service consumer received with the request for credentials against the independently retrieved IP address; and
  
  a credential generator to generate, by use of the processor, credentials for the service consumer based on a match between the IP address corresponding to an assertion included in the received portion of the content of the identity document and the independently retrieved IP address of the service consumer, the generated credentials being bound to the IP address of the service consumer; and
  
  to send the generated credentials to the service consumer for providing the credentials along with a request for service to a service provider.
- View Dependent Claims (9)
- - 9. The system as claimed in claim 8 wherein the generated credentials are bound to a service name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
eBay Inc.
Original Assignee
eBay Inc.
Inventors
Kolluru, Raju Venkata, Kleinpeter, Michael Dean, Lynch, Liam Sean, Kasten, Christopher J., Kanungo, Rajesh
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US12/111,338
Publication Number

US 20090271625A1
Time in Patent Office

2,394 Days
Field of Search

726/6
US Class Current

726/6
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2129   Authenticate client device ...

G06Q 20/02   involving a neutral party, ...

G06Q 20/3829   involving key management

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4014   Identity check for transact...

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 9/32   including means for verifyi...

H04L 9/3247   involving digital signatures

System and method for pool-based identity generation and use for service access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

System and method for pool-based identity generation and use for service access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others