1. Field of the Invention
The present invention relates to electronic identity techniques and methods. More particularly the present invention relates to a novel and improved method and system for requesting and issuing an electronic identity based on previously certified electronic identity.
2. Description of the Prior Art
With respect to securing communication, entities are often required to electronically authenticate themselves before utilizing services or executing transactions. This authenticity may come in the form of a username and password combination or a certificates. To accomplish this feat, these entities must first register their existence either physically or virtually so that they might receive a proof of identity.
Providing the proof, such as a username and password combination, carries out the actual authentication. Aforementioned simple authentication schemes are unfortunately quite context specific: identity based on username and password may be totally insignificant in all other circumstances. Moreover, such proof does not irrefutably distinguish different entities.
Digital certificates or electronic identities are electronic files that are used to uniquely identify people and resources over networks such as the Internet. With help of digital certificates it is possible to make secure, confidential communication between two parties. When one travels to another country, his/her passport provides a universal way to establish your identity and gain entry. Digital certificates provide similar identification. Certificates may be issued by a trusted third party (TTP) such as a Certification Authority (CA). Much like the role of the passport office, the role of the trusted third party is to validate the certificate holders' identity and to “sign” the certificate so that it cannot be forged or tampered with. Once a TTP has signed a certificate, the holder can present their certificate to people, Web sites, and network resources to prove their identity and establish encrypted, confidential communications.
A certificate typically includes a variety of information pertaining to its owner and to the TTP that issued it. This information can be as follows. The name of the holder and other identification information required to uniquely identify the holder, such as the URL of the Web server using the certificate, an individual's email address or the holder's public key. The public key can be used to encrypt sensitive information for the certificate holder; the name of the Certification Authority that issued the certificate; a unique identifier; the validity period (or lifetime) of the certificate (a start and an end date).
In creating the certificate, this information is digitally signed by the issuing TTP. The TTP's signature on the certificate is like a tamper-detection seal on a bottle of pills—any tampering with the contents is easily detected. Digital certificates are usually based on public-key cryptography, which uses a pair of keys for encryption and decryption. With public-key cryptography, keys work in pairs of matched public and “private” keys. In cryptographic systems, the term key refers to a numerical value used by an algorithm to alter information, making that information secure and visible only to individuals who have the corresponding key to recover the information.
The public key can be freely distributed without compromising the private key, which must be kept secret by its owner. Since these keys only work as a pair, an operation (for example encryption) done with the public key can only be undone (decrypted) with the corresponding private key, and vice-versa. A digital certificate securely binds your identity, as verified by a trusted third parry (a CA), with your public key.
A CA certificate is a certificate that identifies a Certification Authority. CA certificates are just like other digital certificates except that they are self-signed. CA certificates are used to determine whether to trust certificates issued by the CA.
In the case of a passport, a passport control officer will verify the validity and authenticity of your passport and determine whether to permit you entry. Similarly, the CA certificate is used to authenticate and validate the Web server certificate. When a Web server certificate is presented to a browser, the browser uses the CA certificate to determine whether to trust the Web server's certificate. If the server certificate is valid, the secure session proceeds. If the server certificate is not valid, the server certificate is rejected and the secure session is stopped.
In digital environment the contemporary equivalent of an identity card is a certificate: a confirmed proof of an entity's distinct identity. A certificate typically does more than just confirms attributes of its subject. The most common use of (public key) certificates is to bind an entity's public keys to its identity. These keys can be used to various purposes such as providing authentication, authorization, confidentiality, integrity, or non-repudiation.
Theoretically certificates are not context specific but in practice different uses require different certificates. E.g. standard X.509 certificate does not include e-mail address information that is required in secure electronic mail (e.g. electronic mail encrypted using Pretty Good Privacy® (PGP®) or Secure Multipurpose Internet Mail Extensions (S/MIME) techniques). Similarly other applications may need to have their own proprietary attributes included in certificates. Although this inclusion of attributes is not problematic per se, new certificates need to be created.
U.S. Pat. No. 5,982,898 describes a method for issuing a short term certificate for a person who already has a previous certificate. The new certificate is issued after the validation process of the ownership of the previous certificate. The validation is done by separating the casks of identity verification and certificate issuing, which allows a disassociating of the long-term binding between the person and his/her public/private key pair. This is accomplished by a registration authority issuing a password to the person once it is satisfied of person's bona fide. Thereafter, whenever the person wishes to have a new certificate or electronic identity, the person contacts a certification authority, identifies itself with the password and obtains a certificate. The certificate typically includes person's name and a public key in plaintext, and a signature. The signature is derived by hashing the plaintext portion of the certificate to obtain a value, and encrypting the value with the CA's private key.
In order to get a certificate or some other electronic proof of identity a subject must prove and register its existence to some authority. If the same identity needs several proofs for different uses, this repeated registration procedure would become quite inconvenient.