Digital identities that are issued by common identity issuance mechanisms for proving identity to other participating parties in a digital transaction do not have a means of indicating variations in the amount of risk that they introduce into a transaction from their use. Cryptographically, all identities possess the same characteristics and do not indicate intended use, usage caveats, or quality of the issued identity to the participants in the transaction. These elements are typically reflected in the certification process statement (CPS) from the certification issuer and require a party wishing to determine if a certificate is appropriate for a specific use to read and interpret the CPS. Typically, the CPS is not machine readable and thus is not machine interpretable.
In today's systems, a party participating in a digital transaction assumes the liability for misused certificates, and there is no guarantee that the identities presented by each party in a digital transaction will be issued or maintained under equal security provisions or with the same practices and methods. This is true because individual certificate issuers have differing practices as indicated by their respective CPS. Hence there is a variation in the quality of the identity based on the conditions under which it was granted, stemming from the mechanisms and procedures employed in the management of key material associated with the digital identity and the management practices of the issuer of the identity. With the increased frequency and monetary value of online or electronic transactions, being able to ascertain the conditions under which the certificate (digital identity) issued to a participant in an online transaction was intended to be used and the conditions under which the identity was issued becomes paramount to assignment of risk in using the certificate.
In some type of electronic transactions, a mutual authentication between transaction participants takes place based on certified identities for the parties participating in the transaction. For example, one participant, for example, the consumer, provides a certified identity as the basis for authentication to another party providing some service or good to another participant, for example, a vendor. In this example, the provider of the service or good may be able to assume liability should the transaction not be fulfilled. One missing element in these transactions is the consumer or vendor's capability to determine from the supplied certified identity what the risk is other transaction participant is introducing into the transaction. The ability to present a digital identity is used as a gating factor for access to a service or completion of a transaction. However, the quality of the digital identity being presented by one or both parties may be suspect for many reasons. The digital identity may be stolen or is being used outside the scope of its procurement purpose. The digital identity may be being used without knowledge of the issuer's willingness to assume liability for the identity's use. Or, the digital identity may have been obtained without the required process that was intended to protect the transaction.
As an example of the latter, cryptographic identities bind public and corresponding private key material to a name or set of attributes. The result of a common enrollment protocol is a X.509 or XrML certificate that indicates a user's name and certifies that the key material that is included in the certificate is indeed possessed by the individuals named in the certificate. Currently, enrollment protocols involve a variety of elements to be checked to indicate the relative strength of the binding of the identity to information about the user at the time of certificate issuance. Some of these elements might consist of an email address, a home address, age, required presentment and inspection of a government issued identity, or other supporting documentation. The number of elements that are checked is in direct correlation to the intended use of the certification and is directly related to the liability assumption of the issuer of the certification for the use of the credentials. As more attributes are verified by the enrollment process the binding grows stronger, and the ensuing quality of the identifier grows as well. However, there is presently no uniform way to indicate the elements of personal or verification information that were required for the enrollment process. There is currently no way to link this same information for some separate agent to provided evaluation of the certificate quality either at the issuer's server or in the client credentials. There is presently no way to perform an evaluation of the information against a transaction participant's established normal requirements for quality of identity produced for a transaction either at the issuer's server, to allow a third party to provide this service, or to perform this evaluation on one of the participating machines in the transaction.
As a consequence, most cryptographic identities appear largely the same in all transactions, regardless of the information that was processed in the registration activity. An assessment of risk is not easy to quantitatively perform in today's electronic transactions based solely on the digital identities exchanged between transaction participants. If the risk is marginally acceptable, there is no way to easily insure an electronic transaction because the risk of loss in a e-commerce transaction using one or more digital identities cannot be easily determined.
Thus, there is a need for a method and system for use in electronic transactions to assess the risk of entering into the transaction as well as to insure against the risk of loss by a party in an electronic transaction. The present invention addresses the aforementioned needs and solves them with additional advantages as expressed herein.