×

Method for generating a certificate

  • US 9,596,089 B2
  • Filed: 06/10/2011
  • Issued: 03/14/2017
  • Est. Priority Date: 06/28/2010
  • Status: Active Grant
First Claim
Patent Images

1. A method for generating a transaction-bound certificate in a system comprising a first computer system associated with an ID provider, a second computer system associated with a service provider and a third computer system associated with a user, wherein the first, second and third computer systems are at distinct physical locations and are coupled to one another via a network, the method comprising:

  • sending, by the third computer system to the second computer system, a transaction request for the user to carry out a transaction;

    sending, by the second computer system to the third computer system, responsive to receiving the transaction request;

    data to be signed and a signature request for signing the data to be signed,wherein signing of the data to be signed is necessary to carry out the requested transaction andwherein the signature request comprises at least one data value that is only produced specifically for the requested transaction by the second computer system once the transaction request has been received by the second computer system andwherein a first data value of the at least one data value comprises a document number of an electronic document, an order number of the electronic document, an identifier of an operator of the second computer system that sends the signature request, an identifier of the second computer system that sends the signature request, or a data value derived therefrom, a data value associated with or derived from the data to be signed, or a data value derived from content of the electronic document;

    checking by the third computer system, responsive to receiving the signature request whether a transaction-bound certificate is available that is suitable for the requested transaction and, if this is not the case, executing the following;

    generating, by executing a program of instructions in a processor of an ID token, an asymmetric key pair consisting of a private key and a public key, wherein the ID token is associated with the user and wherein generation of the asymmetric key pair occurs exclusively external to the third computer system;

    storing the generated asymmetric key pair on the ID token, wherein at least the private key is stored in a protected memory area of the ID token;

    transmitting a certificate request from the ID token to the first computer system, the certificate request comprising the generated public key and at the least one data value of the signature request;

    generating, by the first computer system, a transaction-bound certificate dependent upon the public key and the at least one data value; and

    sending, by the first computer system to the third computer system, the transaction-bound certificate responsive to generating, by the first computer system, the transaction-bound certificate;

    wherein the validity of the transaction-bound certificate is restricted to the requested transaction and is dependent upon the least one data value and wherein the generation of the transaction-bound certificate occurs exclusively external to the third computer system,wherein checking, by the third computer system, whether an available transaction-bound certificate is suitable for the requested transaction comprises;

    checking, at least from the first data value of the at least one data value, whether the available transaction-bound certificate is bound to the requested transaction; and

    checking whether an asymmetric key pair affiliated with the available transaction-bound certificate is stored in the ID token.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×