The computer system 100 illustrated in FIG. 1 represents a typical hardware setup for executing software that allows users to perform tasks such as communicating with other computer users, accessing various computer resources, and viewing, creating, or otherwise manipulating electronic content—that is, any combination of text, images, movies, music or other sound, animations, 3D virtual worlds, and links to other objects. The system includes various input/output (I/O) devices (mouse 103, keyboard 105, display 107) and a general purpose computer 100 having a central processor unit (CPU) 121, an I/O unit 117, and a memory 109 that stores data and various programs such as an operating system 111, and one or ore application programs 113. The computer system 100 also typically includes some sort of communications card or device 123 (e.g., a modem or network adapter) for exchanging data with a network 127 via a communications link 125 (e.g., a telephone line).
As shown in FIG. 2, a user of a computer system can access electronic content or other resources either stored locally at the user's own client system 202 (for example, a personal or laptop computer) or remotely at one or more server systems 200. An example of a server system is a host computer that provides subscribers with online computer services such as email, e-commerce, chat rooms, Internet access, electronic newspapers, and magazines. Users of a host computer's online services typically communicate with one or more central server systems 200 through client software executing on their respective client systems 202.
In practice, a server system 200 typically is not a single monolithic entity, but is a network of interconnected server computers, possibly physically dispersed from each other, each dedicated to its own set of duties and/or to a particular geographic region. In such a case, the individual servers are connected by a network of communication links in known fashion.
A “browser” is an example of client software that enables users to access and view electronic content stored either locally or remotely, such as in a network environment (local area network (LAN), intranet, and wide area network (WAN) such as the Internet). A browser is typically used for displaying documents described in Hypertext Markup Language (HTML) and stored on servers connected to a network, e.g., the Internet. Technically, a web browser is a client program that uses the Hypertext Transfer Protocol (HTTP) to make requests of web servers throughout the Internet on behalf of the browser user. A web server contains, in addition to the HTML and other files it can serve, an HTTP server daemon, which is a program designed to wait for HTTP requests and handle those requests when received.
FIG. 3 is a screenshot of a browser application 300 (Netscape Navigator) displaying a typical HTML document, or web page 302. As shown therein, a single web page 302 may be composed of several different files potentially of different data types 304 (for example, text, graphics, images, virtual worlds, sounds, or movies). In addition, a web page can include links 306 pointing to other resources (for example, web pages or individual files) available on the network. Links 306 can take virtually any visual form, for example, the links can appear either as a text string or as a graphical image or a combination thereof. Each link 306 has an associated URL pointing to a location on the network. When a user “clicks on” or otherwise selects a displayed link 306, the browser can automatically retrieve a web page or other resource corresponding to the link's associated URL and display it to, or execute it for, the user. A user can instruct a browser to access a HTML document or web page by specifying a network address or Uniform Resource Locator (URL) at which a desired document resides. URLs are defined in Internet standard RFC 1738 to include an indication of the protocol to be used and the location of a resource on a web server. In response to instructions from the user, the browser contacts the corresponding server hosting the requested webpage, retrieves the one or more files that make up the webpage, and then displays the webpage in a window on the user's computer screen.
Web pages can typically be transported using HTTP as defined in Internet standard RFC 2068. HTTP is a set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web (WWW). Relative to the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols which are the basis for information exchange on the Internet, HTTP is an application layer protocol. When a user of a web browser sends a HTTP request by typing in an URL or clicking on a hypertext link, the browser builds a HTTP request and sends it to the address indicated by the URL. The HTTP server daemon in the destination server machine receives the request and, after any necessary processing, the requested file is returned. The response is sent to the browser where it can be displayed to the user. The HTTP protocol response includes various codes detailing the result of the request. For example, return code 404 indicates that the information requested was not found. For transactions requiring security, the HTTP connection can be secured with encryption. This variant is known as Secure HTTP (HTTPS) or Secure Socket Layer (SSL).
HTTPS is a web protocol developed by Netscape Communications, Inc. (Netscape) of Mountain View, Calif. and is implemented in several browsers. The HTTPS protocol encrypts and decrypts user page requests as well as the pages that are returned by the web server. HTTPS uses Netscape's SSL as a sublayer under its regular HTTP application layer. HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP. SSL uses a key size of a predetermined number of bits (typically between 40 and 128) for the RC4 stream encryption algorithm, which is considered a minimal degree of encryption for commercial exchange.
When visiting an electronic commerce merchant, a user typically is presented with a web page order form URL that starts with “https://”, indicating the use of the HTTPS protocol. When sending the response, the browser will use the HTTPS layer for encryption. The acknowledgement received from the server also will travel in encrypted form using HTTPS, and will be decrypted by the browser's HTTPS layer.
HTTPS and SSL support the use of X.509 digital certificates form the server so that, if necessary, a user can authenticate (i.e., confirm the identity of) the sender. SSL is an open, nonproprietary protocol that Netscape has proposed as a standard to the World Wide Web Consortium (W3C). HTTPS is not to be confused with SHTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.
A digital certificate is an electronic token that establishes the credentials of a party doing business or other transactions on the web. Certificates can be issued by a certification authority (CA). Typically, certificates can contain a party's names, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so authenticated users can look up other user's public keys.
HTTP also includes a mechanism referred to as a “cookie,” which is used to maintain client side persistent data. A cookie is a token, for example, a special text file, that a web site stores on a user's hard disk so that the web site can remember something about the user at a later time. Typically, a cookie records a user's preferences when using a particular site. Under HTTP, each request for a web page is independent of all previous requests. For this reason, a web page server has no memory of what pages it has sent to a user previously or anything about that user's previous visits. The cookie mechanism can allow the server to store its own file on the user's own computer. The file can be typically stored in a subdirectory of the directory used to install the browser software. The cookie subdirectory can contain cookie files for each web site visited by the user that uses cookies. Cookies are commonly used to keep track of which banner ads a user already has encountered. This tracking can assist web sites in rotating the banner ads presented and thereby minimize repetition to the user based on a user's browser type or other information provided to the web site. In order for cookies to be used for tracking, web users must agree to let cookies be saved on their computers by configuring their browsers to accept cookies.
Consumers can buy and sell products and services shown on web pages via electronic commerce (“e-commerce”) transactions. To enable these transactions, a consumer and merchant exchange personal and financial information concerning the online transaction, such as their credit card, billing address, and shipping address. Conventional payment systems associated with many Internet commerce sites therefore require customers to type their credit card and mailing information into a HTML form.
FIGS. 4A and 4B show an example of an e-commerce form 400. The information for the form 400 typically includes name 405, shipping address 410, billing address 415, and credit card number 420. This information is submitted to the merchant, who then uses the information to complete the transaction using various known fulfillment and delivery mechanisms.
Navigating and completing such forms involves a great deal of repetition and associated inconvenience to users when providing name, shipping address, billing address, and credit card data to merchants. Completing electronic forms often is a tedious and error-prone process. Furthermore, using these payment systems, customers visiting several online stores may need to re-enter their payment/address information at each online store at which they make a purchase. For many stores, shoppers additionally may need to re-enter payment information at each subsequent visit.
To facilitate the process of completing forms, “form fillers” have been developed. These applications can automate the filling of forms encountered when visiting web sites. The form filler can recognize forms in the HTML and can record the data entered in the fields when the user fills out the form for the first time. Then, when similar fields show up in subsequent forms, the form filler can use the recorded data to automatically fill out these fields. An example of such a form filler is built into Microsoft Internet Explorer 5.0. FIGS. 5A, 5B, and 5C show a form filler application built into a browser automatically filling out the fields in an e-commerce form. Some form fillers can allow the user to maintain several “identities” to help protect privacy. Each identity keeps track of a separate set of form data that will be used to fill in new forms.
A similar, but more sophisticated, approach to facilitating online transactions is the digital wallet. A digital wallet is a software application that allows the user to input shipping and billing data once and reuse this information at many different web sites to complete a purchase. Digital wallets that complete merchant forms or directly transfer data to merchants have been successfully built into browsers in several ways, including as helper applications to browsers, stand-alone applications, and browser plug-ins.
Once the digital wallet is set up, the user can store, manipulate, and pay for Internet purchases with various types of payment instruments, e.g., credit cards or electronic cash.
Client-based personal electronic wallets have been developed to relieve this burden. Client-based wallets store e-commerce information for a particular user at the machine operated by that user. When that machine interfaces with a merchant website through the Internet, e-commerce information stored in the local wallet may be transferred to the merchant. However, because client-based wallets reside on the user machine, these wallets are subject to the limitations of the machine upon which they reside. For instance, security attacks on the user machine may be used to target the wallets residing thereon. In addition, limitations on portability for the machine result in limitations for the wallet.