This invention relates generally to computing security, and more particularly but not exclusively, to tightly pre-binding of an on-line identity to a digital signature.
Today, proving who you are and/or with who you may be communicating with on-line is becoming increasingly more important. It is of particular concern in such on-line activities as e-commerce, on-line dating, social networking activities, and the like. Unfortunately, all too often, an individual or entity with which you may be communicating may not be whom you had expected. Such fraudulent misrepresentations are making it more difficult to know whom to trust on-line. It is also making many users reduce their use of on-line activities. Such reduction financially impacts many on-line companies.
In response, may on-line companies have attempted to create new tools to help people to confirm their identities, and to validate the identities of those with whom they may be communicating. Typical solutions attempt to bind an identity of a person or entity with a digital signature. This is typically achieved by having the person or entity complete an application that includes selected information about the entity. This action is commonly known as registration of the entity. The selected information is typically provided to another entity, such as a registration authority, or the like, that then uses the selected information to verify the identity of registering entity. This may be performed by searching a database, such as a motor vehicle database, a merchant database, a financial database, a credit database, or the like. If the identity can be verified to some level of confidence by the registration authority, the registration authority may then provide the registering entity with a private key generated from a public/private key generation algorithm. The registering entity may then use the private key to digitally sign messages, and other digital material. The digital signature is intended to provide a level of confidence that the message is from a known entity.
However, the above approach leaves open several security concerns. For example, as described above, the delivery of the private key by the registration authority may be open to a man in the middle attack, and interception. That is, an unauthorized party may access and use the private key to impersonate the registering entity or even the registration authority. Moreover, because the registration authority has access to the private key, it may be hacked, improperly distributed, or the like. Again, this leaves open the possibility of impersonation of the registering entity. This means that the confidence in having received a message from the registering entity may be significantly reduced. In addition, the time and effort often required to complete the registration process may be an obstacle to many entities, resulting in a further barrier to digital signature usage for on-line activities, and further resulting in loss of potential e-commerce opportunities. Thus, it is with respect to these considerations and others that the present invention has been made.