System and method of dynamic issuance of privacy preserving credentials
First Claim
1. A method for authenticating a user, operating a web application on a host computer, to a web-based service of a service provider, comprising:
- receiving, by the web application from the service provider, a request to present a credential indicative of satisfying an access requirement of the service provider;
forwarding the request to present a credential, by the web application, to a security device connected to the host computer;
if the security device has possession of a verifiable credential proving that an identity provider vouches for the satisfaction of the access requirement, presenting a presentation token to the service provider, the presentation token providing proof of the possession of a verifiable credential indicative of satisfying the access requirement of the service provider;
if the security device is not in possession of the verifiable credential, operating the service provider to transmit a first request to the web application in which the web application is requested to obtain the verifiable credential by displaying a user interface directing the user to the identity provider;
in response to receiving the first request and user indication to proceed to the identity provider to obtain the verifiable credential, operating the web application to redirect the first request received from the service provider to the identity provider via a separator, by;
transmitting the first request from the web application to the separator without identifying the user;
operating the separator to transmit a second request for the verifiable credential to the identity provider without identifying the service provider as originator;
operating the identity provider and the security device associated with the user in response to the second request;
to engage in a privacy-preserving credential creation exchange in cooperation with the identity provider including verification and attestation by the identity provider of validity of attributes that the user needs to prove to the service provider to satisfy the access requirement of the service provider;
operating the security device;
to generate the presentation token from the privacy-preserving credential; and
to present the presentation token to the service provider as proof of the validity.
5 Assignments
0 Petitions
Accused Products
Abstract
Method and System for enhanced privacy in privacy-preserving identity solutions. The technology provides for a redirect of a request to generate a proof of an attribute from a service provider to a separator. The separator removes source identification from the attribute-proof request and redirects the attribute-proof request, free of original source identification, to a credential issuer which issues the credential. A security device of the user generates a presentation token from the privacy-preserving credential and presents the presentation token to the service provider as proof of the attribute. Other systems and methods are disclosed.
-
Citations
10 Claims
-
1. A method for authenticating a user, operating a web application on a host computer, to a web-based service of a service provider, comprising:
-
receiving, by the web application from the service provider, a request to present a credential indicative of satisfying an access requirement of the service provider; forwarding the request to present a credential, by the web application, to a security device connected to the host computer; if the security device has possession of a verifiable credential proving that an identity provider vouches for the satisfaction of the access requirement, presenting a presentation token to the service provider, the presentation token providing proof of the possession of a verifiable credential indicative of satisfying the access requirement of the service provider; if the security device is not in possession of the verifiable credential, operating the service provider to transmit a first request to the web application in which the web application is requested to obtain the verifiable credential by displaying a user interface directing the user to the identity provider; in response to receiving the first request and user indication to proceed to the identity provider to obtain the verifiable credential, operating the web application to redirect the first request received from the service provider to the identity provider via a separator, by; transmitting the first request from the web application to the separator without identifying the user; operating the separator to transmit a second request for the verifiable credential to the identity provider without identifying the service provider as originator; operating the identity provider and the security device associated with the user in response to the second request; to engage in a privacy-preserving credential creation exchange in cooperation with the identity provider including verification and attestation by the identity provider of validity of attributes that the user needs to prove to the service provider to satisfy the access requirement of the service provider;
operating the security device;to generate the presentation token from the privacy-preserving credential; and to present the presentation token to the service provider as proof of the validity. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for protecting privacy of a user of online information services, comprising:
-
a host computer operating under a control of a web application by which the user accesses a web service executing on a server of a service provider; a personal security device connected to the host computer and programmed to generate and store privacy-preserving credentials and to generate presentation tokens from the privacy-preserving credentials in response to receiving a request including a policy of the web service; wherein the service provider is programmed to generate a credential generation request that redirects to a separator via the web application executing on the host computer; wherein the separator comprises a web server that is programmed to receive the credential generation request and to create a second credential generation request, wherein the separator returns the second credential generation request to the web application and wherein the second credential generation request redirects the web application to an identity provider; and wherein the identity provider comprises a second web server operable, in response to the second credential generation request, to engage in a credential generation protocol with the personal security device including verification and attestation by the identity provider of validity of attributes that the user needs to prove to the service provider to satisfy an access requirement of the service provider.
-
-
9. A web server computer having a processor and a memory, the memory comprising instructions to cause the web server to receive a first request to generate a privacy-preserving credential from a web browser wherein the first request originates with a service provider and is redirected to the web server via the web browser executing on a host computer;
- in response to receiving the first request to generate the privacy-preserving credential, creating a response in the form of a second request to generate the privacy-preserving credential wherein the second request redirects the web browser to an identity provider directing the identity provider to engage in a credential issuance protocol with a personal security device connected to the host computer; and
transmitting the second request to the web browser in response to the first request. - View Dependent Claims (10)
- in response to receiving the first request to generate the privacy-preserving credential, creating a response in the form of a second request to generate the privacy-preserving credential wherein the second request redirects the web browser to an identity provider directing the identity provider to engage in a credential issuance protocol with a personal security device connected to the host computer; and
Specification