A credential is a data structure provided to a bearer for a purpose, with some acknowledged way to verify the bearer's right to use the credential. A credential relates to an attribute, normally, but not necessarily, of the bearer. A credential is verified by a trusted source (sometimes referred to as the verifier). Often, there will be a chain of credentials and respective trusted sources until a verification is proffered by an organisation in which trust is implicit. Credentials are incorporated in a digital certificate for verification.
A digital certificate generally comprises a file containing information, which file is transmitted to a recipient together with a digitally signed version thereof. The digitally signed version is a hash of the file encrypted using a secret key (in a public key infrastructure). A hash is a one-way function that generates a substantially unique output from a file and is for all practical purposes irreversible. These concepts are familiar to those skilled in the art.
Digital certificates are used in communication using distributed electronic networks, such as the internet, to transmit a credential, typically of the bearer. A known digital certificate is the X0.509 standard.
A certificate may contain one or more credential attributes.
A credential attribute in a certificate can be almost anything. Typical examples relevant to the present invention may be a credit rating, an access authorisation (for physical or electronic access), a verification of identity etc.
Each attribute has at least one attribute property, such as a value (e.g. a numeric or alphanumeric) or something more complex such as an indication of trust.
Generally, known digital certificates are valid for a fixed period of time (e.g. 1 year), during which time they will be used as a means of authentication and for gaining authorised access to services etc. This is referred to as the valid period. Such digital certificates can, however, be revoked at any time by the verifier (terminating the valid period), thus placing a burden on the certificate recipient to check revocation lists or to use online certificate status protocol services. These certificates are generally valid or not valid; there is no middle ground even though the degree of trust the trusted source has in the credential attribute may, in fact, vary over time (or some other variable) or if there is a wish to vary the credential attribute value.
A certificate may still be in a valid period even if a credential attribute within it is not.
By way of example, a certificate may specify an individual's credit limit as a credential attribute.
While this may be correct at the time of generation of the certificate, within the typical one year limit of the certificate, the verifier may not wish to attest to the same credit limit for the full period.
In another example a credential attribute may allow entry to a building which a certificate provider may wish to restrict to certain days.