One of the difficulties in dealing with current electronic transactions is ensuring proper security measures are in place to identify the user and the service being used. Most systems rely on user tokens, which contain secure information that is used to validate the identity of the user, preferably through some form of two-factor authentication, such as a One Time Password (OTP) or challenge-response algorithm. User permits, containing digital signatures, identify the user's access and authorizations for services (permissions). Permit issuers' certificates serve to validate the permissions.
Current solutions based on digitally signed permits, such as that disclosed in U.S. Pat. No. 6,216,116 and as used with CCITT X.509 Attribute Certificates rely on a user level digital certificate infrastructure to be in place to support the user identification and authentication process connected with permit verification. Issuance and management of a user PKI (Public Key Infrastructure) is costly and complex and, as a consequence, is not widely deployed today. The result is that digital permits become difficult to deploy.
An alternative solution to the existing user certificate and digital permit system is desirable to promote larger deployment of secure verification systems. Ideally, any such solution should combine the security and validation provided by user authentication tokens and user permits.
It is an object of this invention to provide such a solution.