The invention relates generally to a method for a re-issuance of an attribute-based credential of an issuer of the attribute-based credential for a user. The invention relates further to a re-issuance system for an attribute-based credential of an issuer of the attribute-based credential for a user, a related computing system, a data processing program, and a computer program product.
The more public cloud computing applications and services become available to end users, access to the cloud services via a credential (or credentials) becomes equally essential. In a mobile environment, users often copy authentication credentials to portable devices like smart phones and tablet computers and carry these credentials with them—stored in the mobile device—wherever they go. Although this increases a user's flexibility and convenience, it also implies the risk of losing a credential together with a device. The device might get stolen or may simply be lost. In such a case, it has to be assumed that an adversary gaining access to the device is able to read all information written to the device by the user, even if the device is protected by a PIN or the like. In particular, the credential and all information needed in order to use the credential may be leaked to the adversary. Thus, there are at least two issues that would arise:
Revocation of lost credentials: Users should be able to revoke, or in other words, invalidate credentials, even if the users do not have access to some of the contained attributes, i.e., the mobile device, any longer. This might be the case, if, e.g., a credential was bound specifically to the lost device. On the other hand, no adversary (not controlling the revocation authority) should be able to invalidate a credential on behalf of an honest user, e.g., the original owner.
Backup and Re-Issuance of Credentials: Users should be able to efficiently re-obtain credentials that were lost together with a device. While this could, in theory, be done by going through the entire issuance process again, this might be undesirable in practice, e.g., because of offline authentication steps including appearance in person at a public authority that may be required.
Some documents regarding management of credentials have been published. In document US 2012/0239936 A1, a method and an apparatus are provided for credential transfer from one device to another. The method includes receiving an authorization token at a first device, determining a delegation token, one or more credentials and metadata; and providing—amongst others—the delegation token to a second device.
Document U.S. Pat. No. 8,533,464 B2 discloses a revoking of credentials after they got lost. According to one aspect, a computer-implemented method for a first user to verify an association with a second user through a secret handshake protocol includes maintaining information about a reusable identification handle for the first user wherein the information about the reusable identification handle is provided by a trusted third party.
However, no solution has been provided to handle a re-issuance of lost credentials in a more practicable way. Thus, there is a need for a user-oriented convenient way for a re-issuance of lost credentials.