System and method for pool-based identity generation and use for service access
First Claim
Patent Images
1. A method comprising:
- receiving, by a service consumer from an identification authority, a non-portable identity document associated with the service consumer, the identity document including signed assertions corresponding to independently verifiable data of the service consumer, the independently verifiable data including an IP address of the service consumer, the identity document being bound to the IP address of the service consumer, and the signed assertions being compatible with a security assertion markup language;
generating, by use of a processor of the service consumer, a request for credentials including at least a portion of the content of the identity document, the portion including an assertion corresponding to the IP address;
sending the request for credentials from the service consumer to an authentication authority; and
based on a match between the IP address corresponding to the assertion included in the sent portion of the content of the identity document and an IP address retrieved by the authentication authority based on the request but independently from the identity document, receiving credentials from the authentication authority by the service consumer; and
sending the received credentials along with a request for service from the service consumer to a service provider.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented system and method for pool-based identity generation and use for service access is disclosed. The method in an example embodiment includes seeding an identity generator with a private key; retrieving independently verifiable data corresponding to a service consumer; using the independently verifiable data to create signed assertions corresponding to the service consumer; generating a non-portable identity document associated with the service consumer, the identity document including the signed assertions; signing the identity document with the private key; and conveying the signed identity document to the service consumer via a secure link.
26 Citations
9 Claims
-
1. A method comprising:
-
receiving, by a service consumer from an identification authority, a non-portable identity document associated with the service consumer, the identity document including signed assertions corresponding to independently verifiable data of the service consumer, the independently verifiable data including an IP address of the service consumer, the identity document being bound to the IP address of the service consumer, and the signed assertions being compatible with a security assertion markup language; generating, by use of a processor of the service consumer, a request for credentials including at least a portion of the content of the identity document, the portion including an assertion corresponding to the IP address; sending the request for credentials from the service consumer to an authentication authority; and based on a match between the IP address corresponding to the assertion included in the sent portion of the content of the identity document and an IP address retrieved by the authentication authority based on the request but independently from the identity document, receiving credentials from the authentication authority by the service consumer; and sending the received credentials along with a request for service from the service consumer to a service provider. - View Dependent Claims (2, 3)
-
-
4. A method comprising:
-
receiving, by an authentication authority, a request for credentials from a service consumer, the request for credentials including at least a portion of the content of a non-portable identity document associated with the service consumer and received by the service consumer from an identification authority, the identity document portion including signed assertions corresponding to independently verifiable data of the service consumer, the independently verifiable data including an IP address of the service consumer, the identity document being bound to the IP address of the service consumer, and the signed assertions being compatible with a security assertion markup language; retrieving, by the authentication authority, the IP address of the service consumer based on the request, independently from the identity document; comparing, by the authentication authority, the IP address corresponding to an assertions included in the received portion of the content of the identity document associated with the service consumer against the IP address retrieved independently therefrom; generating, by use of a processor of the authentication authority, credentials for the service consumer based on a match between the IP address corresponding to an assertion included in the received portion of the content of the identity document and the IP address retrieved independently therefrom; and sending the generated credentials from the authentication authority to the service consumer for providing the credentials along with a request for service to a service provider. - View Dependent Claims (5)
-
-
6. A method comprising:
-
retrieving, by a service consumer, a credential associated with the service consumer from an authentication authority, the credential including signed assertions corresponding to independently verifiable data of the service consumer, the independently verifiable data including an IP address of the service consumer, the credential being bound to the IP address of the service consumer, and the signed assertions being compatible with a security assertion markup language; generating, by use of a processor of the service consumer, a request for service including at least a portion of the content of the credential, the portion including an assertion corresponding to the IP address; sending the request for service from the service consumer to a service provider; and based on a match between the IP address corresponding to the assertion included in the sent portion of the content of the credential and an IP address retrieved by the service provider based on the request but independently from the credential, receiving a message from the service provider indicating that the requested service can be provided. - View Dependent Claims (7)
-
-
8. A system comprising:
-
a processor; a memory coupled to the processor to store information related to credentials for a service consumer; a credential request receiver to receive a request for credentials from a service consumer, the request for credentials including at least a portion of the content of a non-portable identity document associated with the service consumer and received by the service consumer from an identification authority, the identity document including signed assertions corresponding to independently verifiable data of the service consumer, the signed assertions being compatible with a security assertion markup language, the credential request receiver further to retrieve, based on the request for credentials but independently from the identity document, an IP address of the service consumer, and to compare the IP address corresponding to an assertions included in the portion of the content of the identity document associated with the service consumer received with the request for credentials against the independently retrieved IP address; and a credential generator to generate, by use of the processor, credentials for the service consumer based on a match between the IP address corresponding to an assertion included in the received portion of the content of the identity document and the independently retrieved IP address of the service consumer, the generated credentials being bound to the IP address of the service consumer; and
to send the generated credentials to the service consumer for providing the credentials along with a request for service to a service provider. - View Dependent Claims (9)
-
Specification