When one service on the Internet causes a third party (such as a third party application) other than the service and a user to use information and functions (hereinafter, referred to as “resources”) related to various services, including personal information on the user of the service, there is Non Patent Literature 1 as a technique for transferring only access authority, without publishing authentication information (such as a user ID (approver ID) and a password) for accessing the resources, to the service.
Non Patent Literature 1 (E. Hammer-Lahav, Ed., D. Recordon, D. Hardt “The OAuth 2.0 Protocol”, Network Working Group, IETF, Jun. 15, 2010) has a merit that there is no need to publish the authentication information to the service when the authority to access the resources is transferred, and in addition, has a merit that not only the user but also a manager of the service can prevent unauthorized access to the resources by the third party.
Non Patent Literature 1 assumes that a trust relationship (contractual relationship) has been able to be directly constructed in advance, mainly between a resource managing entity (the above described service on the Internet) and the third party. Consequently, if the service cannot directly construct the relationship because the number of resource managing entities is enormous and the resource managing entities are ubiquitous, or the like (for example, if household electrical appliances are assumed as the resource managing entities, or the like), Non Patent Literature 1 cannot be used. Accordingly, a manager of the resource managing entity other than the user cannot prevent the unauthorized access to the resources by the third party.
As described above, a conventional art has a problem that, in a case where the third party cannot directly construct the trust relationship with the resource managing entities because the number of the resource managing entities is enormous and the resource managing entities are ubiquitous, or the like, the authority to access the resources cannot be transferred to the third party. Furthermore, there is a problem that the manager of the resource managing entity other than the user cannot prevent the unauthorized access to the resources by the third party.