In the physical world, individual persons are able to assess one another by sight, hearing and an accounting of physical attributes. Drivers' licenses, passports and other regulated documents provide verified accountings of attributes that permit individuals to validate who they are, or for others to validate who an individual says he or she is.
Fingerprints, retinal pattern, breath and DNA among other attributes are understood and recognized to be highly individualistic and are widely accepted and used to verify identity. But these attributes are physical and tied to a physical world.
Computers have become commonplace and highly integrated in nearly all aspects of modern life—transcending the bounds of professional and social spaces, computers are a prominent fixture in the workplace, in the home, as mobile devices and in many other places and arenas of daily life and modern existence.
Increasingly individuals are representing themselves in the cyber world of computer systems and computer networks, where digital information in the elemental form of binary data is entirely ignorant of physicality. A critical problem in cyberspace is knowing with whom you are dealing—in short, at the present time there is no precise way to determine the identity of a person in digital space. Friends, families, colleagues may use a common computer, share passwords, or even pretend to be people they are not. Sometimes these actions are benign—sometimes they are not.
As computers are often used in a commercial setting such as a business, organization or secured network (hereinafter “business”), there are often very legitimate desires by that business to know who is accessing their network. In addition, in many instances it is highly desired by a business or organization to not only know who is using their system, but also to control the type of equipment that is used with their system.
For example, to comply with licensing, privacy or other external or internal regulation, a company may desire for it's users to make use of provided equipment for conducting company business. In other words a new or existing employee is provided with a company system that may have customized software for word processing, email, network access etc. . . . .
In addition, in some instances the different levels of employees may impose different requirements—i.e., a secretary may have email access to the multiple accounts for the persons he or she supports, a vice president or president may have access rights to an entire team, and a mail room person may have access to email and a company directory, but no file access.
Typically, companies permit varying granularity of configuration by individualized configuration—i.e., the system for a given employee must be either pre-configured and given the employee, or the employee must go to the tech resources group and receive his or her new machine.
In addition, in many instances companies or other entities make use of user identities, passwords and even digital certificates in an effort to gate control who has access to what, when, and perhaps from where.
Digital certificates, also known as public key certificates, are electronic documents that bind a digital signature (a mathematical schema for demonstrating authenticity) to a key, such as a public key, that is tied to an identity. A public key infrastructure (PKI) is a set of hardware, software, people, policies and/or procedures used to create, manage, distribute, use, store and revoke digital certificates.
When referring to or working with digital certificates, in many cases a PKI is implied. More simply put, digital certificates are electronic documents that are offered to prove or verify the identity of user. Typically a digital certificate is issued by a certificate authority (CA) that has performed or established some threshold of information to assert that the party to whom the certificate is issued is indeed the party he or she reports to be. For a business or organization, the PKI is typically itself, or a third party entity that has been charged with providing digital certificates to the employees.
In addition to identifying a person, a digital certificate may also include additional information, which may be used to determine the level of authorization that should be afforded to the holder of the digital certificate. Examples include the duration of validity for the certificate, the user's real name, the user's alternative name, the intermediate certificate authority who issued the certificate, the type of computer system used when requesting the certificate, the type of computer system authorized for use with the certificate, or other such information pertinent to establishing both the identity of the user of the digital certificate as well as the veracity of the root certificate authority ultimately responsible for the apparent authority vested in the digital certificate.
Indeed, digital certificates can and often do provide a great deal of simplicity in authenticating a user as the user has clearly established himself or herself in some way that is sufficient for a certificate authority to provide the digital certificate. Relying on a digital certificate can ease a network's reliance on parties having previously established or contemporaneously establishing a local identity—a savings both in terms of time for the user and costs associated with the overhead and storage of the user identity for the local network.
But understanding who is who can still be a difficult prospect. Often an employee has his or her own private computer system, if not his or her own smart phone, computer tablet or other computing device. In many cases these devices may be quite similar to the systems that the company intends to provide.
It thus becomes a challenge for the company to ensure that employees use proper systems for access and conducting company business, and that employees do not share or attempt to share their digital identifications with multiple systems. In other words, if a company provides a digital certificate for network access intended for use by the employee with his or her laptop, the company may have desire that the employee not use this same digital certificate for his or her smart phone, laptop or tablet for network access as well.
Hence there is a need for a method and system that is capable of overcoming one or more of the above identified challenges.