U.S. patent application number 15/233343 was filed with the patent office on 2016-12-01 for remote access of digital identities.
This patent application is currently assigned to Microsoft Technology Licensing, LLC. The applicant listed for this patent is Microsoft Technology Licensing, LLC. Invention is credited to Kim Cameron, Arun Nanda, John Shewchuk, Xiao Xie.
Application Number | 20160352717 15/233343 |
Document ID | / |
Family ID | 39669485 |
Filed Date | 2016-12-01 |
United States Patent
Application |
20160352717 |
Kind Code |
A1 |
Shewchuk; John ; et
al. |
December 1, 2016 |
REMOTE ACCESS OF DIGITAL IDENTITIES
Abstract
A system and method for controlling distribution and use of
digital identity representations ("DIRs") increases security,
usability, and oversight of DIR use. A DIR stored on a first device
may be obtained by a second device for use in satisfying the
security policy of a relying party. Release of the DIR to the
second device requires permission from a device or entity that may
be different from the device or entity attempting to access the
relying party. Further, the use of the DIR to obtain an identity
token may separately require permission of even a different person
or entity and may be conditioned upon receiving satisfactory
information relating to the intended use of the DIR (e.g., the name
of the relying party, type of operation being attempted, etc.). By
controlling the distribution and use of DIRs, security of the
principal's identity and supervisory control over a principal's
activities are enhanced.
Inventors: |
Shewchuk; John; (Redmond,
WA) ; Cameron; Kim; (Bellevue, WA) ; Nanda;
Arun; (Sammamish, WA) ; Xie; Xiao; (Shanghai,
CN) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Microsoft Technology Licensing, LLC |
Redmond |
WA |
US |
|
|
Assignee: |
Microsoft Technology Licensing,
LLC
Redmond
WA
|
Family ID: |
39669485 |
Appl. No.: |
15/233343 |
Filed: |
August 10, 2016 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14176782 |
Feb 10, 2014 |
|
|
|
15233343 |
|
|
|
|
11952890 |
Dec 7, 2007 |
8689296 |
|
|
14176782 |
|
|
|
|
60886894 |
Jan 26, 2007 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
H04L 63/08 20130101;
H04L 63/0853 20130101; G06F 21/33 20130101; G06F 21/41
20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06 |
Claims
1. A method for controlling distribution of a digital identity
representation, comprising the steps of: receiving at a first
device a request from a second device for the digital identity
representation; prompting a user of the first device to accept or
deny the request; providing, if the request is accepted by the
user, the digital identity representation.
2. The method of claim 1, wherein the digital identity
representation is provided by a third device.
3. The method of claim 1, wherein the digital identity
representation includes metadata describing at least a first claim
about a principal.
4. The method of claim 3, wherein the digital identity
representation further includes backing data comprising the first
claim.
5. The method of claim 3, wherein the principal is the user of the
first device.
6. The method of claim 1, wherein the first device includes a use
limitation in the digital identity representation.
7. The method of claim 6, wherein the use limitation comprises an
expiration time for the digital identity representation.
8. The method of claim 7, wherein the expiration time is based on a
timestamp provided in the request by the second device.
9. The method of claim 1, wherein, prior to the request, the
digital identity representation is stored at the first device and
includes internal address information pointing to an identity
provider included in the first device, further comprising the step
of: changing the internal address information to an externally
accessible address of the first device.
10. The method of claim 1, further comprising the steps of:
receiving a second request to use the digital identity
representation; prompting the user of the first device to accept or
deny the second request; providing, if the second request is
accepted by the user, permission to use the digital identity
representation.
11. A computer program product for use in a computer system, the
computer program product comprising one or more computer readable
media having computer-executable instructions for implementing a
method for controlling use of a digital identity representation,
the method comprising the steps of: receiving at a first device a
request from a second device to use the digital identity
representation; prompting a user of the first device to accept or
deny the request; providing, if the request is accepted by the
user, permission to use the digital identity representation.
12. The computer program product of claim 11, wherein the digital
identity representation includes metadata describing at least a
first claim about a principal and the principal is not the user of
the first machine.
13. The computer program product of claim 11, wherein the digital
identity representation includes a use restriction that is
changeable by the user of the first device.
14. The computer program product of claim 13, wherein the use
restriction includes an address of a third device from which the
permission to use the digital identity representation must be
obtained.
15. The computer program product of claim 11, wherein the method
further comprises the steps of: requesting from the second device
information related to the use of the digital identity
representation.
16. The computer program product of claim 15, wherein the second
device requests use of the digital identity representation to
obtain an identity token and the information includes
identification of a relying party to whom the identity token is to
be provided.
17. A method of using a digital identity representation, comprising
the steps of: receiving a request for an identity token from a
relying party; sending to a first device a request from a second
device to obtain the digital identity representation; receiving at
the second device the digital identity representation, wherein the
digital identity representation includes metadata describing at
least a first claim about a principal; sending from the second
device a request to use the digital identity representation;
receiving at the second device permission to use the digital
identity representation; using the digital identity representation
to request the identity token; receiving the identity token; and
providing the identity token to the relying party.
18. The method of claim 17, wherein the request to use the digital
identity representation is sent to a third device that is different
from the first and second devices.
19. The method of claim 17, wherein the request to use the digital
identity representation is sent to a device that is controlled by a
person other than the principal.
20. The method of claim 17, wherein the request to use the digital
identity information includes information identifying the relying
party.
Description
RELATED APPLICATION/CLAIM OF PRIORITY
[0001] This application claims the benefit of U.S. Provisional
Patent Application No. 60/886,894, entitled "Remote Access of
Digital Identities," filed on or about Jan. 26, 2007.
BACKGROUND
[0002] Increased efforts are being made to give individuals more
control over how their personal identity information is distributed
and used, particularly in a digital context. For example, Microsoft
Corporation of Redmond, Wash., among others, has propagated a
system sometimes referred to as the Information Card
Selector--Microsoft's instantiation is generally referred to as
Windows CardSpace. In a Windows CardSpace system, a principal
obtains one or more digital identity representations, sometimes
referred to as information cards. When the principal attempts to
access a resource (a "relying party") that requires a set of claims
made about the principal, the principal employs a digital identity
representation (hereafter called a "DIR") to initiate communication
with an identity provider that can assert those claims. In some
cases, the identity provider may be controlled by a principal and
run on the principal's own machine. In others it may be controlled
by a third party. The identity provider returns an "identity token"
that includes the required claims information.
[0003] DIRs are useful in, among other contexts, complying with
relying-party requests for identity tokens. Providing easy and
secure use of DIRs is advantageous to principals seeking access to
such relying parties.
SUMMARY
[0004] This summary is provided to introduce a selection of
concepts in a simplified form that are further described below in
the Detailed Description. This Summary is not intended to identify
key features or essential features of the claimed subject matter,
nor is it intended to be used as an aid in determining the scope of
the claimed subject matter.
[0005] One aspect relates to a method for controlling distribution
of DIRs. A first device receives a request for a DIR. A user of the
first device is prompted to accept or deny the request. If the
request is accepted, the DIR is provided. In embodiments, the user
of the first device is the principal about which the DIR defines
claims. In other embodiments, the user of the first device is not
the principal. In embodiments, the first device does not have a
sense of time, and the DIR includes a use restriction that is based
on a time stamp provided in the request for the DIR from the second
device. In further embodiments, the first device includes an
identity provider, and before the DIR is provided to the second
device, the address for the identity provider in the DIR is changed
to an externally accessible address of the first device.
[0006] Another aspect relates to a computer program product for
controlling use of a DIR. A first device receives a request from a
second device to use the DIR. The user of the first device is
prompted to accept or deny the request. If the request is accepted,
permission to use the DIR is provided. Again, in embodiments, the
user of the first device may or may not be the principal about
which the DIR includes claims.
[0007] Still another aspect relates to a method for using a DIR. A
request for an identity token is received from a relying party. A
request is sent to a first device from a second device to obtain
the DIR. The digital identity representation includes metadata
describing at least a first claim about a principal and the DIR is
received at the second device. A request to use the DIR is sent
from the second device. The second device receives permission to
use the DIR, and the DIR is then used to obtain the identity token.
The identity token is sent to the relying party.
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] FIG. 1 illustrates an example DIR distribution and use
system.
[0009] FIG. 2 illustrates an example method for controlling
distribution of DIRs.
[0010] FIG. 3 illustrates an example method for providing a
DIR.
[0011] FIG. 4 illustrates an example method for controlling use of
a DIR.
[0012] FIG. 5 illustrates an example method for procuring and using
a DIR.
[0013] FIG. 6 illustrates another example method for procuring and
using a DIR.
[0014] FIG. 7 illustrates a computing device configuration
according to an embodiment of the disclosure.
DETAILED DESCRIPTION
[0015] Example embodiments will now be described more fully
hereinafter with reference to the accompanying drawings. Like
numbers refer to like elements throughout.
[0016] Example embodiments disclosed herein relate generally to
identity systems including DIRs used in initiating communication
for production of identity tokens that can be exchanged between a
principal, an identity provider, and a relying party to
authenticate an identity and/or information related to the
principal. In example embodiments herein, the principal may be a
natural person or persons, a computer, a network, or any other
entity. The relying party has goods, services, or other information
that the principal desires to access and/or obtain. In example
embodiments, the relying party can be any resource, privilege, or
service that requires a security policy to enter, access, or use.
For example, a relying party may comprise one or more of:
computers, computer networks, data, databases, buildings,
personnel, services, companies, organizations, physical locations,
electronic devices, or any other type of resource.
[0017] Referring now to FIG. 1, an example DIR system 100 is shown
including a first device 105, first user 106, principal 110, second
device 111, third device 117, third user 118, and a relying party
120. First device 105 includes a computer system at least
temporarily controlled by first user 106. Second device 111
includes a computer system at least temporarily controlled by the
principal 110. Third device 117 includes a computer system at least
temporarily controlled by third user 118. As will be discussed
herein, the first user 106, principal 110, and third user 118 may
comprise three different people or entities or may, in embodiments,
comprise the same people or entities. Relying party 120 may also
include a computer system. System 100 may also include an identity
provider 115 and identity provider 107, each of which are discussed
further below and may include, or be part of, a computer
system.
[0018] First device 105, second device 111, third device 117,
identity provider 115, and relying party 120 can communicate with
each other over one or more networks, such as the Internet, or
through telephonic or other forms of wired or wireless
communication. In example embodiments, principal 110 can use second
device 111 to request goods, services, information, privileges, or
other access from relying party 120. Relying party 120 can require
authentication of the identity of, or information about, principal
110 before or in conjunction with providing the requested access to
principal 110.
[0019] Also shown in FIG. 1 is an example identity provider 115.
Identity provider 115 includes a computer system. In example
embodiments, identity provider 115 includes a claims transformer
130 and a claims authority 140. The claims transformer 130 is
sometimes referred to as a "security token service." In the example
shown, identity provider 115 can provide one or more claims about
principal 110. A claim is a statement or assertion made about the
principal, possibly including information about the principal such
as, for example, name, address, social security number, age, credit
history, transactional requirements, etc. As described further
below, identity provider 115 can provide claims to relying party
120 in the form of a digitally signed identity token. In example
embodiments, identity provider 115 is in a trusted relationship
with relying party 120, so that relying party 120 trusts the claims
in the signed identity token from identity provider 115. In
embodiments, identity provider 107 may be identical or similar to
identity provider 115 but may be part of first device 105 rather
than a separately controlled computer system.
[0020] Although claims transformer 130 and claims authority 140 of
identity provider 115 are shown as separate entities in FIG. 1, in
alternative embodiments claims transformer 130 and claims authority
140 can be the same entity or different entities or systems.
Identity provider 115 may take the form of a security token service
in some example embodiments. Similarly, first device 105, second
device 111, and third device 117 may be the same or different
entities or systems.
[0021] Computer systems described herein include, without
limitation, a personal computer, server computer, hand-held or
laptop device, microprocessor system, microprocessor-based system,
programmable consumer electronics, network PCs, minicomputers,
mainframe computer, smart card, telephone, mobile or cellular
communication device, personal data assistant, distributed
computing environment that includes any of the above systems or
devices, and the like. Some computer systems described herein may
comprise portable computing devices. A portable computing device is
any computer system that is designed to be physically carried by a
user. Each computer system may also include one or more
peripherals, including without limitation: keyboard, mouse, a
camera, a web camera, a video camera, a fingerprint scanner, an
iris scanner, a display device such as a monitor, a microphone, or
speakers. The term "computer system" is used herein interchangeably
with "device."
[0022] Each computer system includes an operating system, such as
(without limitation) the WINDOWS operating system from Microsoft
Corporation, and one or more programs stored on the computer
readable media. Each computer system may also include one or more
input and output communications devices that allow the user to
communicate with the computer system, as well as allow the computer
system to communicate with other devices. Communications between
the computer systems of FIG. 1 (e.g., first device 105, second
device 111, third device 117, identity provider 115, and relying
party 120 can be implemented using any type of communications link,
including, without limitation, the Internet, wide area networks,
intranets, Ethernets, direct-wired paths, satellites, infrared
scans, Bluetooth, cellular communications, or any other type of
wired or wireless communications.
[0023] In some example embodiments disclosed herein, system 100 is
implemented at least in part as an Information Card system provided
in the .NET 3.0 framework developed by Microsoft Corporation of
Redmond, Washington. The Information Card system allows users to
manage multiple DIRs from various identity providers. Each of the
first device 105, second device 111, and third device 117 may
include an identity selector, such as Windows CardSpace from
Microsoft Corporation of Redmond, Wash.
[0024] The Information Card system utilizes a web services platform
such as the Windows Communication Framework in the .NET 3.0
framework. In addition, the Information Card system is built using
the Web Services Security Specifications propagated at least in
part by Microsoft Corporation of Redmond, Wash. These
specifications include a message security model WS-Security, an
endpoint policy WS-SecurityPolicy, a metadata exchange
WS-MetadataExchange, and a trust model WS-Trust. Generally, the
WS-Security model describes how to attach identity tokens to
messages. The WS-SecurityPolicy model describes end point policy
requirements, such as required identity tokens and supported
encryption algorithms. Such policy requirements can be conveyed and
negotiated using a metadata protocol defined by
WS-MetadataExchange. The WS-Trust model describes a framework for
trust models that enables different web services to interoperate.
Some example embodiments described herein refer to the Web Services
Security Specifications described above. In alternative
embodiments, one or more other specifications can be used to
facilitate communications between the various subsystems in system
100.
[0025] Referring again to FIG. 1, principal 110 can send a request
via second device 111 to relying party 120 for access to goods,
services, or other information. For example, in one embodiment,
second device 111 sends a request to relying party 120 to perform
an operation at relying party 120, such as complete an online
purchase. The request sent by second device 111 can include a
request for the authentication requirements of relying party 120
using, for example, the mechanisms provided in
WS-MetadataExchange.
[0026] In response to the request, relying party 120 may send
second device 111 requirements for relying party 120 to
authenticate principal's identity or other information about
principal 110. The requirements of relying party 120 for
authentication are referred to herein as a security policy. A
security policy minimally defines the set of claims from a trusted
identity provider 115 or identity provider 107 that the principal
110 must provide to relying party 120 for relying party 120 to
authenticate principal 110. A security policy can include a
requirement of proof regarding a personal characteristic (such as
age), identity, financial status, etc. It can also include rules
regarding the level of verification and authentication required to
authenticate any offers of proof (e.g., digital signature from a
particular identity provider).
[0027] In one example, relying party 120 specifies its security
policy using WS-SecurityPolicy, including both the claim
requirements and type of identity token required by relying party
120. Examples of types of claims include, without limitation, the
following: first name, last name, email address, street address,
locality name or city, state or province, postal code, country,
telephone number, social security number, date of birth, gender,
personal identifier number, credit score, financial status, legal
status, etc.
[0028] The security policy can also be used to specify the type of
identity token required by relying party 120, or a default type can
be used as determined by the identity provider. In addition to
specifying the required claims and token type, the security policy
can specify a particular identity provider required by the relying
party. Alternatively, the policy can omit this element, leaving the
determination of the appropriate identity provider up to principal
110. Other elements can be specified in the security policy as well
such as, for example, the freshness of the required security
token.
[0029] In some embodiments, principal 110 can require that relying
party 120 identify itself to second device 111 so that principal
110 can decide whether or not to satisfy the security policy of
relying party 120, as described below. In one example, relying
party 120 identifies itself using an X509 certificate. In other
embodiments, relying party 120 can identify itself using other
mechanisms such as, for example, a Secure Sockets Layer ("SSL")
server certificate.
[0030] Second device 111 may include one or more DIRs 112 for
principal 110. These DIRs 112 (sometimes referred to as
"Information Cards" in the Windows CardSpace system provided in the
.NET 3.0 framework developed by Microsoft Corporation of Redmond,
Washington) are artifacts that represent the token issuance
relationship between principal 110 and a particular identity
provider, such as identity provider 115. Each DIR may correspond to
a particular identity provider, and principal 110 can have multiple
DIRs 112 from the same or different identity providers.
[0031] DIRs 112 can include, among other information, the identity
provider's issuance policy for identity tokens, including the type
of tokens that can be issued, the claim types for which it has
authority, and/or the credentials to use for authentication when
requesting identity tokens. DIRs 112 may be represented as XML
documents that are issued by identity providers 115 or DIR
generation systems and stored on a storage device such as second
device 111, first device 105, and/or third device 117. The DIRs 112
represented in the various devices of FIG. 1 may be different
copies of the same DIR, different DIRs, or DIRs with the same
claims but adapted for use in different devices as described
further herein.
[0032] As discussed, second device 111 may also include an identity
selector. Generally, an identity selector is a computer program and
user interface that permits principal 110 to select between one or
more DIRs 112 of principal 110 on second device 111. DIRs 112, in
turn, can be used to request and obtain identity tokens from one or
more identity providers, such as identity provider 115. For
example, when a security policy from relying party 120 is received
by second device 111, the identity selector may be programmed to
identify one or more DIRs 112 that satisfy one or more of the
claims required by the security policy using the information in
DIRs 112. Once principal 110 receives the security policy from
relying party 120, principal 110 can communicate with (using, for
example, second device 111) one or more identity providers to
gather the claims required by the policy.
[0033] In example embodiments, when principal has access to an
appropriate DIR on second device 111, principal 110 uses the DIR
112 to request one or more identity tokens from identity provider
115 using the issuance mechanism described in WS-Trust. The
identity of relying party 120 can, but need not, be specified in
the request sent by principal 110 to identity provider 115. The
request can include other requirements as well, such as a request
for a display token.
[0034] Generally, claims authority 140 of identity provider 115 can
provide one or more of the claims required by the security policy
from relying party 120. Claims transformer 130 of identity provider
115 is programmed to transform the claims and to generate one or
more signed identity tokens 150 that include the claim(s) relating
to principal 110.
[0035] Principal 110 can request an identity token in a certain
format in its request to identity provider 115, based on
requirements from relying party 120. Claims transformer 130 can be
programmed to generate identity tokens in one of a plurality of
formats including, without limitation, X509, Kerberos, SAML
(versions 1.0 and 2.0), Simple eXtensible Identity Protocol
("SXIP"), etc. Such requirements can be included in the DIR.
[0036] In example embodiments, claims transformer 130 forwards the
identity token 150 to principal 110 using the response mechanisms
described in WS-Trust. In one embodiment, claims transformer 130
includes a security token service (sometimes referred to as an
"STS"). In an example embodiment, principal 110 forwards identity
token 150 to relying party 120 by binding identity token 150 to an
to application message using the security binding mechanisms
described in WS-Security. In other embodiments, identity token 150
may be sent directly from the identity provider 115 to relying
party 120.
[0037] Once relying party 120 receives identity token 150, relying
party 120 can verify (e.g., by decoding or decrypting the identity
token 150) the origin of signed identity token 150. Relying party
120 can also utilize the claim(s) in identity token 150 to satisfy
the security policy of relying party 120 to authenticate principal
110 and permit principal 110 to complete the requested
operation.
[0038] In embodiments, however, second device 111 will not have in
local storage an appropriate DIR 112 that refers to claims required
by the security policy of relying party 120. For example, on
occasion, a principal 110 may use a second device 111 that is
publicly accessible (e.g., public library, airport kiosk,
unprotected computer terminal, etc.) to attempt to access or
perform operations at relying party 120. In this instance,
principal 110 may desire to use a DIR 112 stored on another device,
such as first device 105 or third device 117. Use of such remotely
stored DIRs 112 is now discussed in more detail.
[0039] On occasion, principal 110 may use a different device to
store DIRs 112 than the device the principal 110 uses to attempt to
access a relying party, such as relying party 120. For example, a
principal 110 may use a mobile device, such as a cellular phone, to
store DIRs 112, but may wish to use a device with a richer user
interface, such as a personal computer ("PC"), to interact with a
relying party. In embodiments, the principal 110 requests that a
DIR 112 be provided from first device 105 to second device 111 for
use in accessing relying party 120. First user 106 is prompted to
approve the release of DIR 112 to second device 111, and in
embodiments the DIR 112 requested is not sent to the second device
111 until such approval is received. In other embodiments, the DIR
112 is stored on third device 117, but approval for release of DIR
112 to second device 111 is required from first user 106 before the
third device 117 releases DIR 112 to second device 111.
[0040] In embodiments, first user 106 and principal 110 are the
same person. For example, a principal 110 who stores DIR 112 on a
mobile phone and wants to use the DIR at second device 111 (e.g., a
PC) on which DIR 112 is not present may both: (a) request the DIR
112 on the second device 111; and (b) approve the release of the
DIR 112 to the second device 111 from first device 105 (e.g., the
principal's mobile phone). In other embodiments, the release of the
DIR to the second device 111 must be approved by a first user 106
and/or third user 118 who are not the same as the principal
110.
[0041] In embodiments, DIR 112, as stored on first device 105, will
include an internal address pointing to identity provider 107,
which may be a service on first device 105. For example, if the DIR
112 is "self-issued" by the first device 105 (e.g., the first
device created the DIR 112 and issues any identity tokens created
by use of the DIR 112), the DIR 112 will contain an internal
pointer to identity provider 107. This is in contrast to a "managed
DIR" which contains an address for a third-party identity provider,
such as identity provider 115. Identity provider 107 may include a
claims transformer and claims authority as described in relation to
identity provider 115.
[0042] In the case of a DIR 112 that has been "self-issued" by
first device 105, when second device 111 requests the DIR 112 from
first device 105, first device changes the address of the identity
provider 107 from an internal address to an externally accessible
address. This allows second device 111, when it eventually attempts
to use the DIR 112 to obtain an identity token 150, to find
identity provider 107. For example, if the request for DIR 112 from
second device 111 was made via Bluetooth communication, the address
for identity provider 107 may be changed to a Bluetooth identifier.
If the connection between second device and first device is made
via GPRS, a phone number for identity provider 107 may be inserted
into DIR 112. Similarly IP address and port number, a URL path
name, or any number of other addressing mechanisms may be used
depending on the available communication stack(s) between first
device 105 and second device 111. Similarly, if a self-issued DIR
112 is accessed from third device 117, third device 117 may make
similar changes to provide an externally accessible address for an
identity provider included in third device 117.
[0043] In embodiments, DIRs 112 may include use restrictions. For
example, DIR 112 may be programmed to include instructions that,
once DIR 112 is released (such as to second device 111), it may be
used only one time or only within the "next ten minutes." As
discussed, on occasion, the principal 110 may be interacting with
relying party 120 via a second device 111 that is not secure (e.g.,
public library, kiosk, etc.). Accordingly, although embodiments may
otherwise protect against unauthorized use of DIRs 112 (e.g.,
password protection, etc.), use limitations provide another layer
of protection against unauthorized use after the principal 110 is
no longer in control of second device 111.
[0044] In embodiments, first device 105 and third device 117 may
have different computing abilities compared to each other and to
second device 111. For example, one or both of first device 105 and
third device 117 may lack an internal clock or other independent
sense of time. This makes it difficult for first device 105 or
third device 117 to encode any use restrictions into DIR 112 before
releasing it to second device 111. In embodiments, second device
111 includes in its request for a DIR 112 a timestamp based on the
timing mechanism of second device 111. In the absence of its own
timing mechanism(s), first device 105 or third device 117 may rely
on the timestamp in the request from second device 111 to encode
any time-based use restrictions into DIR 112 before releasing it to
second device 111. For example, if the DIR 112 requires, or
principal 110 requests, a restriction that DIR 112 will be useable
for only 10 minutes after it is downloaded to second device 111,
first device 105 uses a timestamp in the request from second device
111 to determine the current time, adds ten minutes to it, and sets
the appropriate expiration time in the copy of DIR 112 sent to
second device 111.
[0045] FIG. 2 illustrates an embodiment of a method 200 for
controlling distribution of DIRs. Method 200 could occur in
response to a principal attempting to access a relying party or
outside of any particular context of an attempt to use a DIR. At
step 210, a request to procure a DIR is received at a first device
from a second device. A user of the first device is prompted 220 to
accept or deny the request for the DIR. In embodiments, the user of
the first device is prompted through a user-interface of the first
device. The user of the first device may be asked to authenticate
himself/herself prior to being permitted to accept or deny the
request for DIR. Authentication methods may include any of a
variety of authentication protocols, including passwords,
biometrics, smartcards, etc.
[0046] At step 230, the user of the first device indicates to the
first device whether the request has been accepted. The indication
of acceptance can be made in a variety of manners, including a
keyboard entry at the first device in response to a prompt. If the
request for DIR is not accepted, then a message is sent 240 that
the request is denied. For example, if the user of the first device
denies the request, or the request times out, the first device may
send a message that the second device may display to a user of the
second device. As discussed, the user of the first device may be
the same as or different from the user of the second device. If the
request for DIR is accepted, the requested DIR is provided 250.
[0047] FIG. 3 illustrates a method 300 that, in some embodiments,
comprises provide step 250. At step 310, a determination is made
whether the requested DIR is stored locally on the first device. If
not, a third device is instructed 320 to provide the requested DIR.
In this embodiment, the third device may perform any or all of the
remaining steps of this FIG. 3.
[0048] At step 330, if the DIR is stored locally, a determination
is made whether the identity provider address included in the
requested DIR points to a local service or process. If so, the
identity provider address in the copy of the DIR to be provided is
changed 340 to an externally accessible address. As discussed in
relation to FIG. 1, the choice of an externally accessible identity
provider address may be dependent upon the type of communication
stack used to request the DIR. For example if the second device
used an internet connection to request the DIR from the first
device, the address for the identity provider local to the first
device may be changed to a URL address accessible by the second
device.
[0049] At step 350, a determination is made whether a time-based
use restriction is to be included in the DIR. In embodiments, the
DIR will contain instructions that, if transferred to another
device, that copy of the DIR must be restricted in use (e.g., "good
for ten minutes," "one-time use," etc.). In other embodiments, a
principal at the second device may include a use restriction in
his/her request for the DIR. For example, a principal that is using
a public computer to access a relying party may request that a DIR
from his/her mobile phone be downloaded to the public computer. The
principal may also request, however, that the DIR be good for only
ten minutes, which will enable the principal to complete an
operation at the relying party, but the DIR will not be useable by
someone who later logs into the public computer. When the first
device includes a use restriction in a DIR, it relies in good faith
on the second device honoring the use restriction. For example, an
"identity selector" or other user interface at the second device
may be programmed to present to a user only cards that have not
expired or otherwise become unusable according to a use
restriction.
[0050] If a time-based use restriction is to be included in the DIR
copy provided to the second device, the device providing the DIR
may program the use restriction using an internal clock. In the
embodiment illustrated in FIG. 3, the device (e.g., the first
device) lacks an internal timing mechanism and sets 360 the use
restriction based off of a timestamp in the request from the second
device in the manner discussed above.
[0051] At step 370, a determination is made whether to include the
data backing the requested DIR. Whether to include backing data may
be determined based on the request from the principal or otherwise.
Backing data includes the actual data that comprise the claims
required by a relying party. For example, a DIR may include
metadata that lists the types of claims required to be included in
an identity token for a particular relying party (e.g., fields for
social security number, phone number, etc.). Backing data comprises
the actual social security number, phone number, etc. that would be
encoded by an identity provider into an identity token in response
to receiving the DIR.
[0052] Typically, backing data is not provided along with a DIR
because backing data is sensitive personal information, and DIRs
are used to represent the backing data that is available in a
secure identity token from an identity provider. This protects the
backing data from being stored or transferred unnecessarily.
However, in embodiments, the first device may lack the
computational ability to produce or encrypt an identity token, and
the principal may desire to transfer both a DIR and its backing
data to a second device that is capable of acting as an identity
provider (provider of a necessary identity token).
[0053] If backing data is not to be included with the DIR, the DIR
is provided 380. In embodiments, step 380 includes sending the DIR
from the first device to the second device. In other embodiments,
step 380 includes directing a third device to send the DIR to the
second device or providing the second device with a pointer or
reference to the DIR stored on a third device. If backing data is
to be included with the DIR, the DIR and backing data are similarly
provided 390.
[0054] FIG. 4 illustrates a method 400 of controlling use of a DIR.
At step 410, a request to use a DIR is received. In embodiments a
user of a first device receives the request to use a DIR. The user
of the first device may be different from or the same as the user
of the device making the request. For example, a child may be
required to get permission from a parent to use the DIR to perform
particular operations at a relying party. The request to use the
DIR may be from a device controlled by a principal or from an
identity provider that received the DIR in an attempt to obtain an
identity token.
[0055] The DIR may be programmed to require a device attempting to
send the DIR to an identity provider to first obtain permission
from a particular person or device. For example, the device being
used by the principal to interact with the relying party could be
required to ask permission to use the DIR prior to sending the DIR
to an identity provider. The DIR could also be programmed to signal
to an identity provider receiving the DIR that permission to use
the DIR must be obtained from a particular person or device before
the identity provider is permitted to provide the requesting device
with an identity token. The request for permission could include
first authenticating the user targeted to give permission (through
password, biometrics, or otherwise) or may require only an
indication of acceptance from whoever is then controlling the
device to which the request for permission is sent.
[0056] In embodiments, a user of the device receiving a request to
use a DIR (to obtain an identity token) may request 420 information
relating to the intended use of the DIR. For example, a user being
asked to approve the request to use the DIR may desire to know the
name of the relying party at which a principal is attempting to
perform an operation, what the requested operation is, and other
information relating to the operation. At step 430, the information
is received relating to the intended use of the DIR. As a
nonexclusive example, the information may include the name of an
on-line merchant (relying party), an attempted purchase
(operation), and the price/cost of the intended transaction
(operation-specific parameters). The information may also include a
descriptive name for the DIR (e.g., "Mom's Visa Card"). This
information may aid the user to determine 440 whether to accept the
request. If not, a message denying the request is provided 445. If
so, permission to use the DIR is provided 450. Denial of the
request at step 445 or permission for the request at step 450 may
be provided to the requesting device or to an identity provider
(either directly or through the requesting device).
[0057] FIG. 5 depicts a method 500 for obtaining and using a DIR.
In this embodiment, the method begins with a request 510 to access
a relying party. The request to access may be a request to enter a
secured area of relying party (such as a secured web page) or a
request to perform a particular operation at the relying party. At
step 520, a request for an identity token is received. For example,
the relying party may respond to a device that requested access to
the relying party with the security policy for the relying party,
including a request for an identity token that includes a minimum
set of claims.
[0058] At step 530, a request for a DIR is made. The request for
DIR, in embodiments, may be a request for a specific DIR or for any
DIRs that meet the minimum set of claims required by the security
policy of the relying party. The DIR is received at step 540, and a
request to use the DIR is sent at step 550. The request to use the
DIR at step 550 can be made to a different device or entity than
the request to obtain the DIR. For example, a principal may store
DIRs on his/her mobile phone and request that a DIR be downloaded
for use to a public PC. The DIR may, however, be programmed to
require the permission of another person or user of another device
before it can be used to obtain an identity token.
[0059] At step 560, permission to use the DIR is received. In the
embodiment illustrated in FIG. 5, permission to use the DIR is
received 560 before the DIR is sent at step 570 to an identity
provider. In other embodiments, the DIR is sent to an identity
provider, and the identity provider requests and receives
permission to use the DIR prior to providing an identity token. At
step 580, the identity token is provided to the relying party. In
embodiments, the identity token is provided directly to the relying
party by the identity provider. In other embodiments, the identity
token is provided to the device requesting access to the relying
party, which forwards the identity token to the relying party. In
addition, as used herein, "provide identity token" includes
providing a pointer or reference to an identity token that the
relying party can use to obtain the identity token from the
identity provider or other device. In embodiments, the
communication path between the identity provider and the relying
party may be more reliable or robust than the path through the
requesting device to the relying party.
[0060] In addition, in embodiments the requests to obtain and use
the DIR may be made simultaneously to a single device. For example,
if a principal seeks to obtain access to a relying party and sends
a request to obtain and use a DIR to a first device, the first
device may prompt a user whether the request to obtain the DIR and
the request to use the DIR are accepted. If so, and the DIR is
self-issued, the first device may respond to the device being used
by the principal with an identity token that meets the security
policy of the relying party. In other embodiments, this is not
applicable because different users or devices will be involved in
the determination whether to release the DIR versus whether the DIR
can be used to obtain an identity token.
[0061] At step 590, access to the relying party is obtained. For
example, if an identity token is provided at step 580 meeting the
security policy of the relying party, the principal is permitted to
perform a requested operation at the relying party.
[0062] FIG. 6 illustrates an embodiment of a method 600 in which a
DIR is obtained and used in a particular context. At step 610, a
principal requests access from a PC to a payment site at a relying
party web site. At step 620, the relying party requests an identity
token having a minimum set of claims relating to the principal. The
principal uses 630 the PC to request a DIR for this relying party
that the principal has stored on the principal's mobile device. The
principal is prompted 640 on the principal's mobile device
regarding the request for the DIR, and the principal accepts the
request. The principal's mobile device then sends 650 the requested
DIR to the PC then being used by the principal.
[0063] At step 655, the PC sends the DIR to an identity provider
specified in the DIR. In this example embodiment, the identity
provider is a third-party identity provider, and the DIR is a
"managed DIR." The identity provider requests 660 proof from the
principal of permission to use the DIR to obtain an identity token.
The PC forwards 665 the request for proof of permission to use to a
third party device specified in the DIR. In this exemplary
embodiment, the principal is a teenager, and the DIR directs the
identity provider to seek permission from the principal's mother on
her cellular phone. The principal's mother uses her cellular phone
to request 670 more information regarding the intended use of the
DIR.
[0064] At step 675, the PC provides the requested information to
the third party device controlled by the principal's mother. In
this example, the PC provides the name of the relying party, the
anticipated operation (e.g., payment for goods), and
operation-specific parameters (e.g., the price of the goods). At
step 680, the principal's mother uses her cell phone to accept the
request to use the DIR, and sends a message to that effect to the
identity provider through the PC. The identity provider then
provides 685 the identity token to the relying party, and the
principal is permitted 690 to complete the requested operation at
the relying party.
[0065] FIG. 7 illustrates a general computing device 700 (also
referred to herein as a device, computer or computer system), which
can be used to implement the embodiments described herein. The
computing device 700 is only one example of a computing environment
and is not intended to suggest any limitation as to the scope of
use or functionality of the computer and network architectures.
Neither should the computing device 700 be interpreted as having
any dependency or requirement relating to any one or combination of
components illustrated in the example computing device 700. In
embodiments, computing device 700 may be used, for example, as a
first device 105, second device 111, third device 117, identity
provider 115, or relying party 120 as described above with respect
to FIG. 1.
[0066] In its most basic configuration, computing device 700
typically includes at least one processing unit 702 and memory 704.
Depending on the exact configuration and type of computing device,
memory 704 may be volatile (such as RAM), non-volatile (such as
ROM, flash memory, etc.) or some combination of the two. This most
basic configuration is illustrated in FIG. 7 by dashed line 706.
System memory 704 stores applications that are executing on
computing device 700. In addition to applications, memory 704 may
also store information being used in operations being performed by
computing device 700, such as a DIR use request 710 and/or a DIR
procurement request 711, as described with respect to FIGS.
1-6.
[0067] Additionally, computing device 700 may also have additional
features/functionality. For example, computing device 700 may also
include additional storage 708 (removable and/or non-removable)
including, but not limited to, magnetic or optical disks or tape.
Such additional storage is illustrated in FIG. 7 by storage 708.
Computer storage media includes volatile and nonvolatile, removable
and non-removable media implemented in any method or technology for
storage of information such as computer readable instructions, data
structures, program modules or other data. Memory 704 and storage
708 are examples of computer storage media. Computer storage media
includes, but is not limited to, RAM, ROM, EEPROM, flash memory or
other memory technology, CD-ROM, digital versatile disks (DVD) or
other optical storage, magnetic cassettes, magnetic tape, magnetic
disk storage or other magnetic storage devices, or any other medium
which can be used to store the desired information and which can
accessed by computing device 700. Any such computer storage media
may be part of computing device 700.
[0068] As those with skill in the art will appreciate, storage 708
may store a variety of information. Among other types of
information, storage 708 may store a digital identity
representation 730 or an identity token 745.
[0069] Computing device 700 may also contain communications
connection(s) 712 that allow the system to communicate with other
devices. Communications connection(s) 712 is an example of
communication media. Communication media typically embodies
computer readable instructions, data structures, program modules or
other data in a modulated data signal such as a carrier wave or
other transport mechanism and includes any information delivery
media. The term "modulated data signal" means a signal that has one
or more of its characteristics set or changed in such a manner as
to encode information in the signal. By way of example, and not
limitation, communication media includes wired media such as a
wired network or direct-wired connection, and wireless media such
as acoustic, RF, infrared and other wireless media. The term
computer readable media as used herein includes both storage media
and communication media.
[0070] Computing device 700 may also have input device(s) 714 such
as keyboard, mouse, pen, voice input device, touch input device,
etc. Output device(s) 716 such as a display, speakers, printer,
etc. may also be included. All these devices are well know in the
art and need not be discussed at length here.
[0071] The various embodiments described above are provided by way
of illustration only and should not be construed to limiting. Those
skilled in the art will readily recognize various modifications and
changes that may be made to the embodiments described above without
departing from the true spirit and scope of the disclosure or the
following claims.
* * * * *