To exercise certain rights and privileges, people need to possess or show various types of credentials. Credentials are certificates such as birth certificates, Social Security Cards, driver's licenses, membership cards, admission badges charge cards, and the like that represent some certified assertion about a person. In the case of a driver's license, an officer of the state certifies that a specific person is licensed to drive a vehicle. A charge card represents an assertion, certified by some bank or other organization, that a person has a charge account at that bank. Companies issue credentials for their employees, usually in the form of ID badges. Generally. the certificate will include some means of identifying to whom the assertion applies (the holder or subject of the credential), and who is certifying the assertion (the certifier of the credential, who is often the issuer).
In the case of a driver's license or corporate ID, the holder is typically identified by a photograph and signature specimen laminated to the certificate and the certifier of the credential is usually identified by a logo, layout, and some other means such as a hologram.
With the advent of electronic commerce, standard credentials have become insufficient, and the need for digital credentials has become more widespread. Digital credentials are electronic certificates having the property that the assertions about the holder can be interpreted and verified by a computer, the certifier can be reliably recognized by a computer, and the holder's present intention to use the credentials can be recognized by a computer (often remotely, through a network). Digital credentials can use a cryptographic mechanism known as a digital signature. An electronic document can be signed by applying a cryptographic secret key controlled by the signer. A signature can be verified using public information (known as the public key). The verification process can use the public key to verify that the signer's secret key was used to sign the document. The science of public key cryptography enables this.
Examples of digital credentials are automatic teller machine (ATM) or bank cards. As opposed to other types of certificates mentioned earlier, these are not usually presented to people for verification. They are normally presented to an ATM and ultimately to a specialized computer network. The relevant information regarding the certifier is digitally encoded on a magnetic strip and the cardholder is identified by a Personal Identity Number or PIN. Furthermore, the holder's present intention to apply the rights asserted by the credential (such as withdrawing money) is signified by the holder's entry of the PIN. This ATM card allows the holder to use electronic banking over specialized digital networks. The present form of digital credentials, however, can support only a minimal variety of services over specialized and non-specialized networks such as the Internet.
Present ways of using digital credentials (using PINs and passwords) are notoriously insecure, very user-unfriendly, and generally inadequate for electronic commerce. For example, while hand-written signatures on documents can make paper records auditable, PINs and passwords are not very useful for this purpose. In particular, they do not have persistent properties as signatures do. For example, one can directly verify a signature post-hoc, but PINs and passwords can be verified only at time of use. The certified digital signature can substitute for a hand-written signature.
The importance of digital credentials is rapidly increasing because networks are becoming more open and public. Whereas a person's identity on a closed network is known through a network operating system, and privileges can be determined by database look-ups, such is not the case on the Internet, for example.
Digitally-signed certificates have been used in electronic payment systems that have arisen over the past five years or so. At least three distinct types of payment systems exist, each of which differs from the current invention in significant ways. The three systems are referred to as e-check, e-charge, and e-cash.
An e-check is designed to function in a way similar to the way paper checks function. While a paper check is a signed request for a bank to pay a given amount from the payer's account to the party that is named on the check (the payee), an e-check is a message requesting the same procedure, but it is electronically signed by the payer. The electronic signature certifies, as in the case of a paper check that the user attests to the payment request and to the specifics of the payee and the amount. With a paper check, the payee has the option of verifying the identity of the payer in person, often demanding one or more alternate methods of payer identification, or the payee can sometimes wait until the check "clears" before providing value in return for the check. Clearing means that the payee's bank receives payment from the payer's bank. With an e-check system, the payee can also wait until the check clears from the payer's bank, or the payee can accept the legitimacy of the payer's digital signature by checking the certificate that the payer's bank issues to the payer which certifies the payer's signing key. In the latter case, the payee risks the possibility that the digital signature certificate has been revoked. This risk is reduced when the payee checks an electronic "Certificate Revocation List" or CRL. Nonetheless, the residual risk exists that the CRL is not up to date. Additionally, the traditional risk exists that the payer's account may have insufficient funds, and the e-check will not clear.
E-checks use the same clearing system and clearing networks used by paper checks. The systems and networks are relatively expensive to use, and when one adds the cost of administering CRLs and the cost of processing e-checks returned for insufficient funds, the use of e-checks for relatively small payments of a few dollars or less is not cost effective. In the present invention, these inefficiencies are addressed by reducing the dependency on CRLs, and by use of a novel approach to risk management, integrating risk management parameters directly into a certificate.
Another use of digital certificates in payment systems is illustrated by the Secure Electronic Transaction ("SET") standard that has been proposed by MasterCard and Visa. SET describes a relatively complex mechanism for making a payment using certificates within the current credit card payment support infrastructure. A number of parties exist in SET: the cardholder, the payee (or merchant), the issuing bank, the acquirer (or merchant's bank), the payment gateway, and optionally, "third parties" that represent one or more of the financial institutions involved. In SET, five different parties have certificates. Cardholder certificates function as an electronic representation of the payment card. Merchant certificates function as an electronic substitute for the payment brand decal that appears in a store window. Payment Gateway certificates are used by Acquirer's or their processors for the systems that process authorization and capture messages. In addition, Acquirer certificates and Issuer certificates aid in the distribution of Merchant and Issuer certificates, respectively. In general, the various certificates are used to support cryptographic keys that are used to provide credit card transaction messages with security properties such as privacy and authenticity.
SET is, overall, an elaborate scheme that is described in the "SET Secure Electronic Payment Transaction Specification" published by MasterCard and Visa. The certificates involved in SET may need to be revoked for any of a number of reasons such as key compromise, or change of status of the party holding the certificate. In contrast to the present invention, the scheme requires a certificate hierarchy, on-line verification procedures, and a certificate revocation infrastructure. Transactions require a significant amount of computation by multiple parties to complete.
Another use of digital certificates in payment systems is illustrated in electronic cash (e-cash) systems where cash is either represented by digital bearer certificates or by "value registers" in smart cards. In the case of digital bearer certificates, a digital signature is applied to an assertion that the certificate may be redeemed for a certain amount of cash at a certain bank or financial institution. A bank will issue certificates that can be used to verify the authenticity of the signature on the bearer certificate. Because digital bearer certificates can be freely copied, a risk exists that users will attempt to repeatedly use the same certificate. Therefore, risk management measures must be employed to ensure that each certificate is spent precisely once. Typically, either a smart card is used to contain the certificates and to participate in a two party protocol that marks certificates as used, or a network-based mechanism may be employed that records each certificate as it is used, and allows any payee to see if the certificate tendered is being used for the first time.
In the case of value registers in smart cards, certificates are used to certify the keys used to verify the digital signatures on messages that are exchanged between two software applications running on the smart cards. For example, a payer's smart card debits its value register (or current cash balance), and signs and sends a message affirming the act to the payee. The payee, upon receiving the message affirming the debit can check the signature on the certificate and verify the signature on the message.
Multiple risks exist in this system as well. In particular, the credit and debit operations must be encapsulated within smart cards or some other physically secure containers that must be distributed and maintained. In addition, should the certificates be compromised, counterfeit c-cash can be produced that is indistinguishable from e-cash that is issued by a legitimate originator. Should the physical container of a card be compromised, then clones of that card could be created that never debit their balances but nonetheless dispense e-cash acceptable to other cards. These are called "golden goose" cards. Thus, this type of e-cash, as a payment system, requires significant risk management measures. Another difficulty associated with this payment scheme has to do with recovery from errors. A communication error can literally destroy value. For example, if one smart card sends a signed message "I have debited my value register by $20" to another smart card, yet the second smart card does not receive that message intact, no credit will be offset to the debit. A support structure to make amends for these type of errors is required.
The shortcomings with the prior art involve the difficulty in using credentials that have been distributed electronically in a highly distributed system that lacks a reasonable means to revoke or update the credentials. For example, assume one holds a digital credential that authorizes the holder to purchase goods up to a value of one hundred thousand dollars (e.g., a corporate credit card). To use this credential, one must go to a central database to re-verify each time the credential is used.
Within the known systems, risk management measures are required to properly support payment systems, and defend them against fraud. Yet the known systems do not contain an efficient way in which risk management is integrated into the payment system.