WO2009036511A1 - Verifying a personal characteristic of users of online resources - Google Patents

Verifying a personal characteristic of users of online resources Download PDF

Info

Publication number
WO2009036511A1
WO2009036511A1 PCT/AU2008/001392 AU2008001392W WO2009036511A1 WO 2009036511 A1 WO2009036511 A1 WO 2009036511A1 AU 2008001392 W AU2008001392 W AU 2008001392W WO 2009036511 A1 WO2009036511 A1 WO 2009036511A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
public key
key certificate
trusted
storage device
Prior art date
Application number
PCT/AU2008/001392
Other languages
French (fr)
Inventor
Stephen Wilson
Original Assignee
Lockstep Technologies Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2008901033A external-priority patent/AU2008901033A0/en
Application filed by Lockstep Technologies Pty Ltd filed Critical Lockstep Technologies Pty Ltd
Priority to AU2008301230A priority Critical patent/AU2008301230A1/en
Publication of WO2009036511A1 publication Critical patent/WO2009036511A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to controlling access to online resources according to personal characteristics such as user age, while allowing preservation of user privacy.
  • the present invention provides for verification of the personal characteristic of the user, without requiring disclosure of the user's identity to the operator of the online resource, and without requiring contemporaneous averment by a third party.
  • Social networking is an important new type of online service enabled essentially by Internet technologies.
  • social networking groups of people with common interests or attributes can communicate with one another, share data, undertake discussions, be introduced to like-minded new friends and colleagues, and so on.
  • access to social networking resources is qualified by some means in order to preserve the collective identity of the group, and protect the privacy of participants,
  • the most important qualification is the age of the user.
  • qualifications such as age for participating in social networking services have been difficult to enforce.
  • a technically comparable problem is associated with controlling the access to online resources intended only for adults (generally speaking, persons who have attained the age of majority).
  • Such resources include online gambling, dating and introduction services, "adult” or pornographic content, and other classified content (films, television programs, literature and so on).
  • new regulations introduced in 2007 require age verification for content delivered over the Internet or to multimedia wireless devices such as mobile telephones when that content has been given a conventional film & television classification of "MA15+” (intended only for a "Mature Audience" over the age of 15) or "Rl 8+” (Restricted to persons over the age of 18).
  • One approach to the age verification problem is to have a trusted third party vouch for the age of a first party (the user) at the time when the user is accessing services of a second party (the online service provider).
  • Some approaches to such age verification involve a new type of trusted third party that provides age verification services possibly on a commercial basis, typically by accessing authoritative repositories of age information.
  • a service provider wishes to confirm the age of a given user, they inquire with the third party as to the person's age. This approach requires the user to provide personal details when registering with the trusted third party, which represents an effort and possible additional expense not normally associated with the use of such resources as online social networking sites.
  • This type of approach also complicates the processes by which the service provider deals with its users, and can involve the disclosure of personal details of the user to the service provider. Moreover, this approach requires a timely response from the third party as user participation is prevented until verification is provided by the third party.
  • the present invention provides a method for controlling access to an electronically accessible resource provided for a defined demographic group, the method comprising: securely storing in a storage device of a user a cryptographic Private Key; issuing to the user a Public Key Certificate corresponding to said Private Key, the Public Key Certificate including data that indicates that the user is a member of the defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group; and an access control system associated with the electronically accessible resource using said Public Key Certificate to verify that the user is eligible to access the electronically accessible resource.
  • the present invention provides a method for providing a user with demographic verification, the method comprising: securely storing in a storage device of the user a cryptographic Private Key; and issuing to the user a Public Key Certificate corresponding to said Private Key, the Public Key Certificate including data that indicates that the user is a member of a defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group, wherein the Public Key Certificate is such that an access control system associated with an electronically accessible resource provided for the defined demographic group can use said Public Key Certificate to verify that the user is eligible to access the electronically accessible resource.
  • the present invention provides a method for verifying user eligibility to access an electronically accessible resource provided for a defined demographic group, the method comprising: a user causing provision of a Public Key Certificate to an access control system associated with the electronically accessible resource; and the access control system verifying whether the user is eligible to access the electronically accessible resource by determining whether said signed Public Key Certificate includes data indicating that the user is a member of the defined demographic group, and determining whether the Public Key Certificate has been signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group.
  • the present invention provides a storage device securely storing a cryptographic Private Key, and a Public Key Certificate corresponding to said Private Key and including data that indicates that the user is a member of a defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group.
  • the present invention provides a computer program element comprising computer program code means to make a computer execute a procedure for controlling access to an electronically accessible resource, the computer program element comprising: computer program code means for obtaining from a user a Public Key
  • the present invention thus provides for the Public Key Certificate to verify that the user is a member of a particular demographic group, such as being within a particular age group, without requiring that any other personal details about the user such as their identity be revealed.
  • the present invention provides a secure means by which to establish the user's authorisation to access the resource in question, without requiring authentication of the user's identity.
  • Such a Public Key Certificate in combination with a cryptographic storage device and Private Key provides a particularly strong mechanism for differentiating members of the relevant demographic group, for example for differentiating children from adults.
  • Use of a cryptographic storage device and public key infrastructure provides resistance to copying or counterfeiting as might be attempted by an adult that would masquerade as a child.
  • Providing the user with a private key gives the user a means to demonstrate that the Public Key Certificate is in fact associated with that individual, so as to prevent copies of the Certificate from being made and used by others.
  • the present invention also represents a form of two factor authentication and is therefore more resistant to theft and abuse than are traditional single factor authentication methods such as secret passwords used to control access to social networking services. If a child loses their cryptographic storage device then it is relatively easy to be alerted to that fact and prevent others from inappropriately using the device by cancelling the Certificate, and relatively easy to replace together with a new Public Key Certificate.
  • the Certificate may be issued to the user by being stored in connection with a storage device which is required to be kept in the possession of the user for other purposes, for example a driver's license, student concession card, membership card, a telephone or a personal digital assistant (PDA). Loss or theft of such a device is likely to be promptly reported by the user allowing cancellation of the Public Key Certificate to prevent others from using a stolen device to access the electronically accessible resource.
  • the storage device could be a magnetic stripe card, a USB storage device, a smart card, a subscriber identity module (SIM) card, a random access memory or read only memory of a telephone or PDA, or other suitable device.
  • the trusted third party is a body that, due to existing responsibilities, has the knowledge required to attest to the user's demographic status of interest.
  • the demographic group is children of school age
  • preferred embodiments of the present invention provide for the trusted third party to be an institution such as a government department of education and/or a body responsible for issuing student concession cards, for example.
  • Such embodiments ease implementation of the system of the present invention, by recognising that a typical routine function of such bodies is to produce and issue to school children public transport concession cards and the like, which in effect vouch for the fact that the card holder is a school age child.
  • the present invention provides the means for that existing trusted third party to provide verification of age to the child in digital cryptographic form for use online, with the additional benefit in some embodiments of being able to de-identify the child in the online environment.
  • embodiments of the present invention are further advantageous in providing a "push" distribution model for certificates, where the trusted third party acts as a 'source of truth' and feeds data to a Certificate Authority for the automatic production of certificates, avoiding the need for individuals to 'pull' down certificates by application.
  • the Certificate can be produced without requiring the student to undergo an arduous application process and without engaging any new authorities or service providers.
  • Embodiments of the invention preferably provide for one or more Root Certification Authorities each being trusted to attest that particular institutions are authorised to aver demographic characteristics of the user.
  • Such embodiments of the invention provide for cross-jurisdictional implementation of the present invention, in providing for verification of a user's demographic characteristic when accessing an electronic resource based in a jurisdiction different to the jurisdiction in which the user is located. That is, such embodiments recognise that the electronically accessible resource may be in a different country or different jurisdiction to the user, and recognise that the provider of the electronically accessible resource may not have first hand knowledge of whether the institution is legitimately authorised to aver the demographic characteristics of the user.
  • Root Certification Authority responsible for maintaining a list of appropriately authorised bodies in different jurisdictions
  • embodiments of the invention enable access control to the electronically accessible resource to be effected in an automated and rapid manner, by ensuring that the Public Key Certificate presented by the user and issued by an institution properly chains back to the Root Certification Authority.
  • To establish such Root Certification requires the simple step of the Root Certification Authority issuing Public Key Certificates to one or more corresponding trusted third party Certification Authorities in each jurisdiction.
  • the Root Certification Authority preferably further attests as to which particular demographic characteristic(s) each institution is authorised to aver.
  • the Root Certification Authority may attest that a government department of education is authorised to aver that children are minors.
  • the Root Certification Authority preferably maintains a code numbering schema, electronic directory service or similar means to identify which particular demographic characteristic is vouched for by the institution through the Public Key Certificates issued to individuals.
  • a suitable code numbering schema could for example be constructed using X.500 standard Object Identifiers (OIDs) administered by the Root Certification Authority.
  • the demographic group may be defined by any suitable demographic characteristic ⁇ ), such as: age; gender; race; religion; sexual orientation; income; special interests; membership or affiliation with a society, social networking site, online gaming community or virtual world; geographic or virtual location; nationality; residential jurisdiction; disease status; and/or entitlement to social security benefits or old age benefits.
  • suitable demographic characteristic ⁇ such as: age; gender; race; religion; sexual orientation; income; special interests; membership or affiliation with a society, social networking site, online gaming community or virtual world; geographic or virtual location; nationality; residential jurisdiction; disease status; and/or entitlement to social security benefits or old age benefits.
  • the storage device may be issued to the user by the trusted third party and may serve other purposes such as being a transport concession card for a student, or a driver's license for an adult.
  • the storage device may be incorporated into another electronic device such as a portable digital assistance (PDA), mobile telephone handset, or personal computer.
  • PDA portable digital assistance
  • Embodiments utilising a portable device provide benefits including resistance to replay attack, identity theft, counterfeiting and the like, provide ease of use, and provide improved confidence in the user acting consensually in the use of the Private Key since it is unlikely that a physical device is used inadvertently.
  • the Private Key and the Public Key Certificate are preferably stored in the same device, and may both be stored in a single storage means of the device.
  • the storage device may comprise any suitable storage device such as a smartcard, a cryptographic USB key, a regular USB key, a mobile telephone Subscriber Identification Module (SIM) card, other memory of a mobile telephone or Personal Data Assistant, tamper resistant storage, or a hardware security module such as a Trusted Platform Module.
  • SIM Subscriber Identification Module
  • the Public Key Certificate is anonymous in so far as the certificate contents do not include any personally identifiable information, and reveal only the fact averred by the Trusted Third Party that the user belongs to a certain demographic group such as being of a certain age.
  • the storage device may be equipped with visual indicia identifying the user, or alternatively may carry no visual means to identify the user.
  • the storage device may store one or more other Private Keys or Public Key Certificates for other purposes, for example to establish the identity of the user in other applications.
  • the cryptographic storage device includes a built-in function for generating Public Key / Private Key pairs, such that following generation the Private Key never leaves the confines of the storage device.
  • a built-in function for generating Public Key / Private Key pairs, such that following generation the Private Key never leaves the confines of the storage device.
  • the storage device when applied to the demographic group of children of minority age the storage device is preferably a tamper resistant cryptographic USB key.
  • a tamper resistant cryptographic USB key is advantageous as being relatively easy to use by children, and is further advantageous in exploiting that USB devices are inexpensive, in widespread use, and are compatible with the great majority of contemporary personal computers and thus require no special reader device in order to be interfaced to a personal computer.
  • any suitable technique may be applied, for example the
  • Private Key of the user may be used to produce a cryptogram from a challenge in a challenge-response protocol. Additionally or alternatively the Private Key of the user may be used to produce a cryptogram from a transactional data object where said cryptogram may be verifiable by means of the Public Key Certificate corresponding to said Private Key.
  • Figure 1 illustrates a system for issuing to children cryptographic USB keys including Public Key Certificates that verify the age of those children when accessing online resources;
  • Figure 2 illustrates a general-purpose computing device that may be used in an exemplary system for implementing the invention
  • the presently described embodiment of the present invention recognises the specific relationship that children as students can have with institutions such as Departments of Education, which have established processes for issuing to children documents or cards that aver eligibility for such concessions as discounted public transport fares.
  • a Department of Education acts as a Trusted Third Party that issues Public Key Certificates that verify the age of each child receiving such a certificate. Any provider of online resources intended only for children can design their access control systems to use such Public Key Certificates to distinguish between children verified as such by the Department of Education, and other illegitimate users such as adults.
  • a Department of Education 110 maintains a database 112 of school age children.
  • the Department of Education 110 issues to a child 101 listed in the database 112 a cryptographic USB key 150.
  • the cryptographic USB key 150 includes a processor chip 155.
  • the processor chip 155 generates a Public Key - Private
  • a Public Key Certificate 120 corresponding to said Public Key - Private Key pair is created and signed by a Certification Authority 114 operated by the
  • 114 may be a separate party engaged by the Department of Education for this purpose.
  • the Public Key Certificate 120 includes a data item 122 that attests that the child 101 is of school age.
  • the Public Key Certificate 120 also includes a digital signature 124 of the Department of Education 110.
  • the Public Key Certificate 120 is anonymous in that the identity of the child 101 is not included in the Public Key Certificate 120, in this embodiment.
  • Child 101 uses computer 130 to access via the Internet 199 online resources 220 provided by service provider 200 and intended only for children.
  • the child 101 connects the cryptographic USB key 150 to a personal computer 130 as part of the access control procedure.
  • An access control module 210 associated with the online resources 220 operates so as to distinguish legitimate users such as child 101 from illegitimate users such as adults.
  • the access control module 210 effects verification by examining the Public Key Certificate 120, checking that the digital signature 124 corresponds to the Department of Education 110, and checking that the data item 122 does indicate that the holder of the Public Key Certificate 120 (namely the child 101) is of school age. If said checks are satisfied then the access control module 210 grants child 101 access to the online resources 220.
  • the Certification Authority 114 is itself certified by a Root Certification Authority 314 which issues CA Public Key Certificate 320 containing a data item 326 that attests that the Certification Authority 114 is recognised as being authoritative over the particular demographic characteristic in question, in this case the fact that the child 101 is of school age.
  • the CA Public Key Certificate 320 also includes a digital signature 324 of the Root Certification Authority 314. This arrangement thus effects an international or otherwise cross-jurisdictional mechanism for endorsing Certification Authority 114 so that the legitimacy of their verification of age of student 101 may be automatically verified by the service provider 200 even where the Certification Authority 114 is unknown to the service provider 200.
  • This cross-jurisdictional ability of this embodiment recognises that in respective jurisdictions there could be one or more bodies that are authoritative in vouching for certain demographic characteristics. For instance, in addition to Department of Education 110 acting as an authoritative body in vouching for child 101 being of school age, a driver licensing bureau might act as an authoritative body in vouching for individuals being of the age of majority.
  • the infrastructure provided by this embodiment, specifically Root Certification Authority 314, enables the standing of such deemed authoritative bodies to be rapidly determined by a secure automated process even across jurisdictional borders.
  • any service provider 200 anywhere in the world can confirm whether a given individual 101 is of school age, no matter where that individual resides. This is because the service provider 200 can check if the person's Public Key Certificate 120 firstly chains back to the Root Certification Authority 314, and secondly that Public Key Certificate 120 contains a code number indicating that the Public Key Certificate issuer 114 is deemed by the Root Certification Authority 314 to be authoritative as to the demographic characteristic of being of school age.
  • Root Certification Authority 314 Once the Root Certification Authority 314 is established and its Root Public Key promulgated across all social networking sites such as child social networking site 220, new Certification authorities 114 can be joined to the scheme at any time, to provide age verification for example, or verification of any other demographic characteristic, again without requiring identification of users.
  • service provider 200 is able to gain additional confirmation of the authority of the Department of Education 110 by verifying also that the Public Key Certificate 120 correctly chains cryptographically to CA Public Key Certificate 320 signed by the Root Certification Authority 314. If the Public Key Certificate 120 does correctly chain cryptographically to CA Public Key Certificate 320 then service provider 200 can infer that the Certification Authority 114 is a recognised member of the inter-jurisdictional set of authoritative bodies able to vouch for demographic characteristics. If the data item 326 further indicates that the Certification Authority 114 has been certified by the Root Certification Authority 314 as being authoritative over the demographic property of being of school age, then the service provider 200 gains additional confirmation of the authority of the Department of Education 110.
  • This embodiment thus maintains the privacy of child 101 by not requiring the child at any time to provide their actual name or any other identifying details to the social networking service 220. Because the child's age is attested to by the department of education 110, nor does the child need to divulge their name or personal details to third parties. Even in alternative embodiments where the certification authority 114 is a separate party to the department of education 110, that authority 114 does not receive any details identifying the child in their task of producing the certificate 120.
  • This embodiment thus takes advantage of knowledge that an existing trusted authority, namely department of education 110, already has about the age of the child 101, and further ensures that only the pertinent personal quality is revealed, in that the child is of the age of minority.
  • This embodiment thus avoids introducing or imposing additional parties into the relationship between the service provider 200 and the user 101, providing a verification model which is simple, less risky, cheaper to implement, and lower cost to operate.
  • this embodiment enables verification to be performed substantially offline. This is because the face- validity of the child's certificate 120 is evident to the service provider 200 without the provider 200 having to make any online inquiries at all, provided they have a trusted copy of the PKI root key.
  • the currency of the child's age verification certificate 120 might need to be checked in real time by provider 200, to ensure that it has not been revoked, however such a real time check can be done with relatively high performance and low bandwidth requirements using the industry standard OCSP protocol supported by all commercial CAs.
  • the present invention also relates to apparatus for performing the operations herein.
  • This apparatus may be specially constructed for the required purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer.
  • a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus.
  • a machine-readable medium includes any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer).
  • a machine-readable medium includes read only memory ("ROM”); random access memory (“RAM”); magnetic disk storage media; optical storage media; flash memory devices; electrical, optical, acoustical or other form of propagated signals (e.g., carrier waves, infrared signals, digital signals, etc.); etc.
  • FIG. 2 the invention is illustrated as being implemented in a suitable computing environment.
  • program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
  • program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
  • program modules may be located in both local and remote memory storage devices.
  • a general purpose computing device is shown in the form of a conventional personal computer 20, including a processing unit 21, a system memory 22, and a system bus 23 that couples various system components including the system memory to the processing unit 21.
  • the system bus 23 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures.
  • the system memory includes read only memory (ROM) 24 and random access memory (RAM) 25.
  • ROM read only memory
  • RAM random access memory
  • BIOS basic input/output system
  • BIOS basic routines that help to transfer information between elements within the personal computer 20, such as during start-up, is stored in ROM 24.
  • the personal computer 20 further includes a hard disk drive 27 for reading from and writing to a hard disk 60, a magnetic disk drive 28 for reading from or writing to a removable magnetic disk 29, and an optical disk drive 30 for reading from or writing to a removable optical disk 31 such as a CD ROM or other optical media.
  • the hard disk drive 27, magnetic disk drive 28, and optical disk drive 30 are connected to the system bus 23 by a hard disk drive interface 32, a magnetic disk drive interface 33, and an optical disk drive interface 34, respectively.
  • the drives and their associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules and other data for the personal computer 20.
  • exemplary environment shown employs a hard disk 60, a removable magnetic disk 29, and a removable optical disk 31, it will be appreciated by those skilled in the art that other types of computer readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital video disks, Bernoulli cartridges, random access memories, read only memories, storage area networks, and the like may also be used in the exemplary operating environment.
  • a number of program modules may be stored on the hard disk 60, magnetic disk 29, optical disk 31, ROM 24 or RAM 25, including an operating system 35, one or more applications programs 36, other program modules 37, and program data 38.
  • a user may enter commands and information into the personal computer 20 through input devices such as a keyboard 40 and a pointing device 42.
  • Other input devices may include a microphone, joystick, game pad, satellite dish, scanner, or the like.
  • serial port interface 46 that is coupled to the system bus, but may be connected by other interfaces, such as a parallel port, game port or a universal serial bus (USB) or a network interface card.
  • a monitor 47 or other type of display device is also connected to the system bus
  • peripheral output devices not shown, such as speakers and printers.
  • the personal computer 20 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 49.
  • the remote computer 49 may be another personal computer, a server, a router, a network
  • PC a peer device or other common network node, and typically includes many or all of the elements described above relative to the personal computer 20, although only a memory storage device 50 has been illustrated.
  • the logical connections depicted include a local area network (LAN) 51 and a wide area network (WAN) 52.
  • LAN local area network
  • WAN wide area network
  • the personal computer 20 When used in a LAN networking environment, the personal computer 20 is connected to the local network 51 through a network interface or adapter 53. When used in a WAN networking environment, the personal computer 20 typically includes a modem 54 or other means for establishing communications over the WAN 52.
  • the modem 54 which may be internal or external, is connected to the system bus 23 via the serial port interface 46.
  • program modules depicted relative to the personal computer 20, or portions thereof may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
  • the present embodiment relates to verifying the age of users of online resources intended only for children
  • the present invention is applicable to enforcing other types of access control rules for online resources.
  • Such other rules include without limitation verifying that the user has reached the age of majority, as may be attested to by a driver's license regulator or other suitable trusted body.
  • Such verification of age of majority may be employed by social networking sites intended for adults only and/or sites providing classified content, adult content or gambling content, whether delivered via the Internet to personal computers and the like or via multimedia services to mobile telephones or other wireless devices.
  • the present invention may be employed in verifying that the user attends a certain school, as may be attested to by that school or by a government department of education.
  • the demographic grouping may be by disease status, for example to attest to the user being free of sexually communicable diseases, as may be attested to by a certified health professional for example.
  • the demographic group may be membership of a romantic dating community, whereby the user's membership of the community is attested to by a community registrar.
  • the demographic group may be membership of an online virtual world community or an online game such as a massively multiplayer online role playing game, whereby the user's membership of the community is attested to by a community registrar.
  • existing members of the community may be permitted to introduce new members by signing the new member's application using their Private Key and Public Key Certificate in order to effect an introduction.
  • the demographic group may be social security or old age benefit recipients, as may be attested to by a social security agency.
  • the computing device may comprise a suitably configured "multimedia" or 3G mobile telephone.
  • this invention allows differentiation between children and adults in connection to controlling access to online resources intended only for children. In another instance, this invention allows differentiation of users in connection with online resources intended only for adults.
  • a Certificate may be relied upon to verify that the user is a member of a particular demographic group, such as being within a particular age group, without requiring that any other personal details about the user such as their identity be revealed. This affords a means by which to establish the user's authorisation to access the resource in question, without requiring authentication of the user's identity nor use of a private key.

Abstract

Access to an electronically accessible resource provided for a defined demographic group is controlled. A cryptographic Private Key is securely stored in a storage device of a user, whether a multi-function storage device or a device dedicated for this purpose. A Public Key Certificate corresponding to the Private Key is also issued to the user. The Public Key Certificate contains data that indicates that the user is a member of the defined demographic group. The Public Key Certificate is signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group. An access control system associated with the electronically accessible resource uses the Public Key Certificate to verify that the user is eligible to access the electronically accessible resource by virtue of possessing the demographic characteristic. A Root Certification Authority for broad deployment of the infrastructure is also provided.

Description

"Verifying a personal characteristic of users of online resources"
Cross-Reference to Related Applications
The present application claims priority from Australian Provisional Patent Application No 2007216833 filed on 19 September 2007, Australian Provisional Patent Application No 2008901033 filed on 3 March 2008, the contents of which are incorporated herein by reference.
Technical Field
The present invention relates to controlling access to online resources according to personal characteristics such as user age, while allowing preservation of user privacy. In particular the present invention provides for verification of the personal characteristic of the user, without requiring disclosure of the user's identity to the operator of the online resource, and without requiring contemporaneous averment by a third party.
Background of the Invention
The Internet has given rise to a host of innovative new information resources, such as services oriented towards children for purposes including education and entertainment. "Social networking" is an important new type of online service enabled essentially by Internet technologies. In social networking groups of people with common interests or attributes can communicate with one another, share data, undertake discussions, be introduced to like-minded new friends and colleagues, and so on. Typically, access to social networking resources is qualified by some means in order to preserve the collective identity of the group, and protect the privacy of participants, In the case of online resources intended only for children, the most important qualification is the age of the user. Unfortunately, qualifications such as age for participating in social networking services have been difficult to enforce.
Social networking services are increasingly popular among children, who use features such as chat rooms in order to meet and interact with people. Yet various forms of child abuse occur in association with Internet social networking. The traditional difficulty in authenticating strangers on the Internet allows adults to pass themselves off as children online, and subsequently draw unsuspecting minors into their confidence.
Currently, social networking services for minors have few if any robust defences against adults passing themselves off as children. Qualifying personal details typically must be provided when a new user registers for a given social networking service, yet nothing stops wrongdoers lying about their age.
To protect minors against adults online who might mean them harm, much of the onus has been on educating children to not disclose excessive personal details about themselves, and to remain alert to anomalous behaviours by others online that might indicate that those others might not in fact be children. However these safeguards are imperfect. Children by their nature are not inclined to be reserved or self-limiting in their disclosures, especially when personal information has significant currency in social networking. That is, the usefulness of social networking depends to a large extent on being able to reveal personal details about oneself. Further, child abusers can adopt sophisticated strategies for masquerading as children and thus evade detection for long periods of time.
A technically comparable problem is associated with controlling the access to online resources intended only for adults (generally speaking, persons who have attained the age of majority). Such resources include online gambling, dating and introduction services, "adult" or pornographic content, and other classified content (films, television programs, literature and so on). In Australia for example, new regulations introduced in 2007 require age verification for content delivered over the Internet or to multimedia wireless devices such as mobile telephones when that content has been given a conventional film & television classification of "MA15+" (intended only for a "Mature Audience" over the age of 15) or "Rl 8+" (Restricted to persons over the age of 18).
When verifying the age of users of online resources, whether they are supposed to be children (of the age of minority) or adults (of the age of majority), it is highly desirable that users be permitted to keep as much as possible of their other identifying information private. That is, an ideal situation is for an online user to be able to assert their exact age or their age group to a service provider without needing to reveal anything else about their identity. Maintaining privacy in children's online social networking is essential for as mentioned, it is wise for children to not disclose excessive personal details. Maintaining privacy in connection with access to adult oriented online resources is equally important: there can be stigma associated with the use of adult oriented sites, and the use of aliases in dating services is common.
Methods for age verification that require users to disclose details such as their full name or their date of birth are therefore unattractive to users wishing to withhold their identity.
One approach to the age verification problem is to have a trusted third party vouch for the age of a first party (the user) at the time when the user is accessing services of a second party (the online service provider). Some approaches to such age verification involve a new type of trusted third party that provides age verification services possibly on a commercial basis, typically by accessing authoritative repositories of age information. When a service provider wishes to confirm the age of a given user, they inquire with the third party as to the person's age. This approach requires the user to provide personal details when registering with the trusted third party, which represents an effort and possible additional expense not normally associated with the use of such resources as online social networking sites. This type of approach also complicates the processes by which the service provider deals with its users, and can involve the disclosure of personal details of the user to the service provider. Moreover, this approach requires a timely response from the third party as user participation is prevented until verification is provided by the third party.
Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is solely for the purpose of providing a context for the present invention. It is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention as it existed before the priority date of each claim of this application.
Throughout this specification the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated element, integer or step, or group of elements, integers or steps, but not the exclusion of any other element, integer or step, or group of elements, integers or steps.
Summary of the Invention
According to a first aspect the present invention provides a method for controlling access to an electronically accessible resource provided for a defined demographic group, the method comprising: securely storing in a storage device of a user a cryptographic Private Key; issuing to the user a Public Key Certificate corresponding to said Private Key, the Public Key Certificate including data that indicates that the user is a member of the defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group; and an access control system associated with the electronically accessible resource using said Public Key Certificate to verify that the user is eligible to access the electronically accessible resource.
According to a second aspect the present invention provides a method for providing a user with demographic verification, the method comprising: securely storing in a storage device of the user a cryptographic Private Key; and issuing to the user a Public Key Certificate corresponding to said Private Key, the Public Key Certificate including data that indicates that the user is a member of a defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group, wherein the Public Key Certificate is such that an access control system associated with an electronically accessible resource provided for the defined demographic group can use said Public Key Certificate to verify that the user is eligible to access the electronically accessible resource.
According to a third aspect the present invention provides a method for verifying user eligibility to access an electronically accessible resource provided for a defined demographic group, the method comprising: a user causing provision of a Public Key Certificate to an access control system associated with the electronically accessible resource; and the access control system verifying whether the user is eligible to access the electronically accessible resource by determining whether said signed Public Key Certificate includes data indicating that the user is a member of the defined demographic group, and determining whether the Public Key Certificate has been signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group.
According to a fourth aspect the present invention provides a storage device securely storing a cryptographic Private Key, and a Public Key Certificate corresponding to said Private Key and including data that indicates that the user is a member of a defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group.
According to a fifth aspect the present invention provides a computer program element comprising computer program code means to make a computer execute a procedure for controlling access to an electronically accessible resource, the computer program element comprising: computer program code means for obtaining from a user a Public Key
Certificate; and computer program code means for verifying whether the user is eligible to access the electronically accessible resource by determining whether said signed Public Key Certificate includes data indicating that the user is a member of the defined demographic group, and determining whether the Public Key Certificate has been signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group.
The present invention thus provides for the Public Key Certificate to verify that the user is a member of a particular demographic group, such as being within a particular age group, without requiring that any other personal details about the user such as their identity be revealed. Thus the present invention provides a secure means by which to establish the user's authorisation to access the resource in question, without requiring authentication of the user's identity.
Such a Public Key Certificate in combination with a cryptographic storage device and Private Key provides a particularly strong mechanism for differentiating members of the relevant demographic group, for example for differentiating children from adults. Use of a cryptographic storage device and public key infrastructure provides resistance to copying or counterfeiting as might be attempted by an adult that would masquerade as a child. Providing the user with a private key gives the user a means to demonstrate that the Public Key Certificate is in fact associated with that individual, so as to prevent copies of the Certificate from being made and used by others.
The present invention also represents a form of two factor authentication and is therefore more resistant to theft and abuse than are traditional single factor authentication methods such as secret passwords used to control access to social networking services. If a child loses their cryptographic storage device then it is relatively easy to be alerted to that fact and prevent others from inappropriately using the device by cancelling the Certificate, and relatively easy to replace together with a new Public Key Certificate.
The Certificate may be issued to the user by being stored in connection with a storage device which is required to be kept in the possession of the user for other purposes, for example a driver's license, student concession card, membership card, a telephone or a personal digital assistant (PDA). Loss or theft of such a device is likely to be promptly reported by the user allowing cancellation of the Public Key Certificate to prevent others from using a stolen device to access the electronically accessible resource. The storage device could be a magnetic stripe card, a USB storage device, a smart card, a subscriber identity module (SIM) card, a random access memory or read only memory of a telephone or PDA, or other suitable device.
Preferably, the trusted third party is a body that, due to existing responsibilities, has the knowledge required to attest to the user's demographic status of interest. For example, where the demographic group is children of school age, preferred embodiments of the present invention provide for the trusted third party to be an institution such as a government department of education and/or a body responsible for issuing student concession cards, for example. Such embodiments ease implementation of the system of the present invention, by recognising that a typical routine function of such bodies is to produce and issue to school children public transport concession cards and the like, which in effect vouch for the fact that the card holder is a school age child. The present invention provides the means for that existing trusted third party to provide verification of age to the child in digital cryptographic form for use online, with the additional benefit in some embodiments of being able to de-identify the child in the online environment. Moreover, such embodiments of the present invention are further advantageous in providing a "push" distribution model for certificates, where the trusted third party acts as a 'source of truth' and feeds data to a Certificate Authority for the automatic production of certificates, avoiding the need for individuals to 'pull' down certificates by application. Thus, if for example a school student is eligible for a proof- of-age certificate, then the Certificate can be produced without requiring the student to undergo an arduous application process and without engaging any new authorities or service providers.
Embodiments of the invention preferably provide for one or more Root Certification Authorities each being trusted to attest that particular institutions are authorised to aver demographic characteristics of the user. Such embodiments of the invention provide for cross-jurisdictional implementation of the present invention, in providing for verification of a user's demographic characteristic when accessing an electronic resource based in a jurisdiction different to the jurisdiction in which the user is located. That is, such embodiments recognise that the electronically accessible resource may be in a different country or different jurisdiction to the user, and recognise that the provider of the electronically accessible resource may not have first hand knowledge of whether the institution is legitimately authorised to aver the demographic characteristics of the user.
By providing a Root Certification Authority responsible for maintaining a list of appropriately authorised bodies in different jurisdictions, such embodiments of the invention enable access control to the electronically accessible resource to be effected in an automated and rapid manner, by ensuring that the Public Key Certificate presented by the user and issued by an institution properly chains back to the Root Certification Authority. To establish such Root Certification requires the simple step of the Root Certification Authority issuing Public Key Certificates to one or more corresponding trusted third party Certification Authorities in each jurisdiction.
In cross-jurisdictional embodiments of the invention, the Root Certification Authority preferably further attests as to which particular demographic characteristic(s) each institution is authorised to aver. For example, the Root Certification Authority may attest that a government department of education is authorised to aver that children are minors. In such embodiments, the Root Certification Authority preferably maintains a code numbering schema, electronic directory service or similar means to identify which particular demographic characteristic is vouched for by the institution through the Public Key Certificates issued to individuals. A suitable code numbering schema could for example be constructed using X.500 standard Object Identifiers (OIDs) administered by the Root Certification Authority. The demographic group may be defined by any suitable demographic characteristic^), such as: age; gender; race; religion; sexual orientation; income; special interests; membership or affiliation with a society, social networking site, online gaming community or virtual world; geographic or virtual location; nationality; residential jurisdiction; disease status; and/or entitlement to social security benefits or old age benefits.
The storage device may be issued to the user by the trusted third party and may serve other purposes such as being a transport concession card for a student, or a driver's license for an adult. Alternatively, the storage device may be incorporated into another electronic device such as a portable digital assistance (PDA), mobile telephone handset, or personal computer. Embodiments utilising a portable device provide benefits including resistance to replay attack, identity theft, counterfeiting and the like, provide ease of use, and provide improved confidence in the user acting consensually in the use of the Private Key since it is unlikely that a physical device is used inadvertently. In embodiments of the invention in which a Private Key is stored in a storage device of the user, the Private Key and the Public Key Certificate are preferably stored in the same device, and may both be stored in a single storage means of the device. The storage device may comprise any suitable storage device such as a smartcard, a cryptographic USB key, a regular USB key, a mobile telephone Subscriber Identification Module (SIM) card, other memory of a mobile telephone or Personal Data Assistant, tamper resistant storage, or a hardware security module such as a Trusted Platform Module.
Preferably, the Public Key Certificate is anonymous in so far as the certificate contents do not include any personally identifiable information, and reveal only the fact averred by the Trusted Third Party that the user belongs to a certain demographic group such as being of a certain age. However in some embodiments it may be desirable for other purposes to include within the Public Key Certificate or within the storage device information identifying the user. The storage device may be equipped with visual indicia identifying the user, or alternatively may carry no visual means to identify the user. The storage device may store one or more other Private Keys or Public Key Certificates for other purposes, for example to establish the identity of the user in other applications.
In preferred embodiments of the present invention, the cryptographic storage device includes a built-in function for generating Public Key / Private Key pairs, such that following generation the Private Key never leaves the confines of the storage device. Such embodiments are advantageous in making it highly difficult for the storage device and its contents to be copied or counterfeited by illegitimate users.
In some embodiments of the present invention, when applied to the demographic group of children of minority age the storage device is preferably a tamper resistant cryptographic USB key. Such an embodiment is advantageous as being relatively easy to use by children, and is further advantageous in exploiting that USB devices are inexpensive, in widespread use, and are compatible with the great majority of contemporary personal computers and thus require no special reader device in order to be interfaced to a personal computer.
In embodiments of the invention, to authenticate that the user is properly associated with the Public Key Certificate, any suitable technique may be applied, for example the
Private Key of the user may be used to produce a cryptogram from a challenge in a challenge-response protocol. Additionally or alternatively the Private Key of the user may be used to produce a cryptogram from a transactional data object where said cryptogram may be verifiable by means of the Public Key Certificate corresponding to said Private Key.
Brief Description of the Drawings
An example of the invention will now be described with reference to the accompanying drawings, in which: Figure 1 illustrates a system for issuing to children cryptographic USB keys including Public Key Certificates that verify the age of those children when accessing online resources; and
Figure 2 illustrates a general-purpose computing device that may be used in an exemplary system for implementing the invention;
Description of the Preferred Embodiments
The presently described embodiment of the present invention recognises the specific relationship that children as students can have with institutions such as Departments of Education, which have established processes for issuing to children documents or cards that aver eligibility for such concessions as discounted public transport fares. In this embodiment of the present invention, a Department of Education acts as a Trusted Third Party that issues Public Key Certificates that verify the age of each child receiving such a certificate. Any provider of online resources intended only for children can design their access control systems to use such Public Key Certificates to distinguish between children verified as such by the Department of Education, and other illegitimate users such as adults.
With reference to Figure 1, a Department of Education 110 maintains a database 112 of school age children. The Department of Education 110 issues to a child 101 listed in the database 112 a cryptographic USB key 150. The cryptographic USB key 150 includes a processor chip 155. During the process of personalising and issuing the cryptographic USB key 150, the processor chip 155 generates a Public Key - Private
Key pair. A Public Key Certificate 120 corresponding to said Public Key - Private Key pair is created and signed by a Certification Authority 114 operated by the
Department of Education 110. In alternative embodiments the Certification Authority
114 may be a separate party engaged by the Department of Education for this purpose.
The Public Key Certificate 120 includes a data item 122 that attests that the child 101 is of school age. The Public Key Certificate 120 also includes a digital signature 124 of the Department of Education 110. The Public Key Certificate 120 is anonymous in that the identity of the child 101 is not included in the Public Key Certificate 120, in this embodiment.
Subsequently, child 101 uses computer 130 to access via the Internet 199 online resources 220 provided by service provider 200 and intended only for children. The child 101 connects the cryptographic USB key 150 to a personal computer 130 as part of the access control procedure. An access control module 210 associated with the online resources 220 operates so as to distinguish legitimate users such as child 101 from illegitimate users such as adults. The access control module 210 effects verification by examining the Public Key Certificate 120, checking that the digital signature 124 corresponds to the Department of Education 110, and checking that the data item 122 does indicate that the holder of the Public Key Certificate 120 (namely the child 101) is of school age. If said checks are satisfied then the access control module 210 grants child 101 access to the online resources 220.
In this embodiment, the Certification Authority 114 is itself certified by a Root Certification Authority 314 which issues CA Public Key Certificate 320 containing a data item 326 that attests that the Certification Authority 114 is recognised as being authoritative over the particular demographic characteristic in question, in this case the fact that the child 101 is of school age. The CA Public Key Certificate 320 also includes a digital signature 324 of the Root Certification Authority 314. This arrangement thus effects an international or otherwise cross-jurisdictional mechanism for endorsing Certification Authority 114 so that the legitimacy of their verification of age of student 101 may be automatically verified by the service provider 200 even where the Certification Authority 114 is unknown to the service provider 200.
This cross-jurisdictional ability of this embodiment recognises that in respective jurisdictions there could be one or more bodies that are authoritative in vouching for certain demographic characteristics. For instance, in addition to Department of Education 110 acting as an authoritative body in vouching for child 101 being of school age, a driver licensing bureau might act as an authoritative body in vouching for individuals being of the age of majority. The infrastructure provided by this embodiment, specifically Root Certification Authority 314, enables the standing of such deemed authoritative bodies to be rapidly determined by a secure automated process even across jurisdictional borders.
For authorities to be certified by the Root Certification Authority 314, a formal approval process is implemented. For example where the authority is a driver license authority, the approval process takes advantage of existing international arrangements by which driver licence authorities and therefore driver licences are recognised across jurisdictions.
Therefore, in this embodiment any service provider 200 anywhere in the world can confirm whether a given individual 101 is of school age, no matter where that individual resides. This is because the service provider 200 can check if the person's Public Key Certificate 120 firstly chains back to the Root Certification Authority 314, and secondly that Public Key Certificate 120 contains a code number indicating that the Public Key Certificate issuer 114 is deemed by the Root Certification Authority 314 to be authoritative as to the demographic characteristic of being of school age.
The cross jurisdictional infrastructure provided by this embodiment scales readily. Once the Root Certification Authority 314 is established and its Root Public Key promulgated across all social networking sites such as child social networking site 220, new Certification Authorities 114 can be joined to the scheme at any time, to provide age verification for example, or verification of any other demographic characteristic, again without requiring identification of users.
Thus, service provider 200 is able to gain additional confirmation of the authority of the Department of Education 110 by verifying also that the Public Key Certificate 120 correctly chains cryptographically to CA Public Key Certificate 320 signed by the Root Certification Authority 314. If the Public Key Certificate 120 does correctly chain cryptographically to CA Public Key Certificate 320 then service provider 200 can infer that the Certification Authority 114 is a recognised member of the inter-jurisdictional set of authoritative bodies able to vouch for demographic characteristics. If the data item 326 further indicates that the Certification Authority 114 has been certified by the Root Certification Authority 314 as being authoritative over the demographic property of being of school age, then the service provider 200 gains additional confirmation of the authority of the Department of Education 110.
This embodiment thus maintains the privacy of child 101 by not requiring the child at any time to provide their actual name or any other identifying details to the social networking service 220. Because the child's age is attested to by the department of education 110, nor does the child need to divulge their name or personal details to third parties. Even in alternative embodiments where the certification authority 114 is a separate party to the department of education 110, that authority 114 does not receive any details identifying the child in their task of producing the certificate 120.
This embodiment thus takes advantage of knowledge that an existing trusted authority, namely department of education 110, already has about the age of the child 101, and further ensures that only the pertinent personal quality is revealed, in that the child is of the age of minority. This embodiment thus avoids introducing or imposing additional parties into the relationship between the service provider 200 and the user 101, providing a verification model which is simple, less risky, cheaper to implement, and lower cost to operate.
Moreover, providing child 101 with a Public Key Certificate issued by the CA 114, this embodiment enables verification to be performed substantially offline. This is because the face- validity of the child's certificate 120 is evident to the service provider 200 without the provider 200 having to make any online inquiries at all, provided they have a trusted copy of the PKI root key. The currency of the child's age verification certificate 120 might need to be checked in real time by provider 200, to ensure that it has not been revoked, however such a real time check can be done with relatively high performance and low bandwidth requirements using the industry standard OCSP protocol supported by all commercial CAs.
Some portions of this detailed description are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
As such, it will be understood that such acts and operations, which are at times referred to as being computer-executed, include the manipulation by the processing unit of the computer of electrical signals representing data in a structured form. This manipulation transforms the data or maintains it at locations in the memory system of the computer, which reconfigures or otherwise alters the operation of the computer in a manner well understood by those skilled in the art. The data structures where data is maintained are physical locations of the memory that have particular properties defined by the format of the data. However, while the invention is described in the foregoing context, it is not meant to be limiting as those of skill in the art will appreciate that various of the acts and operations described may also be implemented in hardware.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the description, it is appreciated that throughout the description, discussions utilizing terms such as "processing" or "computing" or "calculating" or "determining" or "displaying" or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
The present invention also relates to apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus.
The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. While noting that some embodiments of the invention require cryptographic functionality and/or tamper-resistant hardware, in the main various general purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will appear from the description. In addition, the present invention is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the invention as described herein.
A machine-readable medium includes any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer). For example, a machine-readable medium includes read only memory ("ROM"); random access memory ("RAM"); magnetic disk storage media; optical storage media; flash memory devices; electrical, optical, acoustical or other form of propagated signals (e.g., carrier waves, infrared signals, digital signals, etc.); etc.
Turning to Figure 2, the invention is illustrated as being implemented in a suitable computing environment. Although not required, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a personal computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the invention may be practiced with other computer system configurations, including hand-held devices, multi-processor systems, microprocessor- based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, and the like. The invention may be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
In Figure 2 a general purpose computing device is shown in the form of a conventional personal computer 20, including a processing unit 21, a system memory 22, and a system bus 23 that couples various system components including the system memory to the processing unit 21. The system bus 23 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. The system memory includes read only memory (ROM) 24 and random access memory (RAM) 25. A basic input/output system (BIOS) 26, containing the basic routines that help to transfer information between elements within the personal computer 20, such as during start-up, is stored in ROM 24. The personal computer 20 further includes a hard disk drive 27 for reading from and writing to a hard disk 60, a magnetic disk drive 28 for reading from or writing to a removable magnetic disk 29, and an optical disk drive 30 for reading from or writing to a removable optical disk 31 such as a CD ROM or other optical media. The hard disk drive 27, magnetic disk drive 28, and optical disk drive 30 are connected to the system bus 23 by a hard disk drive interface 32, a magnetic disk drive interface 33, and an optical disk drive interface 34, respectively. The drives and their associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules and other data for the personal computer 20. Although the exemplary environment shown employs a hard disk 60, a removable magnetic disk 29, and a removable optical disk 31, it will be appreciated by those skilled in the art that other types of computer readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital video disks, Bernoulli cartridges, random access memories, read only memories, storage area networks, and the like may also be used in the exemplary operating environment.
A number of program modules may be stored on the hard disk 60, magnetic disk 29, optical disk 31, ROM 24 or RAM 25, including an operating system 35, one or more applications programs 36, other program modules 37, and program data 38. A user may enter commands and information into the personal computer 20 through input devices such as a keyboard 40 and a pointing device 42. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit 21 through a serial port interface 46 that is coupled to the system bus, but may be connected by other interfaces, such as a parallel port, game port or a universal serial bus (USB) or a network interface card. A monitor 47 or other type of display device is also connected to the system bus
23 via an interface, such as a video adapter 48. In addition to the monitor, personal computers typically include other peripheral output devices, not shown, such as speakers and printers.
The personal computer 20 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 49. The remote computer 49 may be another personal computer, a server, a router, a network
PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the personal computer 20, although only a memory storage device 50 has been illustrated. The logical connections depicted include a local area network (LAN) 51 and a wide area network (WAN) 52. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and, inter alia, the Internet.
When used in a LAN networking environment, the personal computer 20 is connected to the local network 51 through a network interface or adapter 53. When used in a WAN networking environment, the personal computer 20 typically includes a modem 54 or other means for establishing communications over the WAN 52. The modem 54, which may be internal or external, is connected to the system bus 23 via the serial port interface 46. In a networked environment, program modules depicted relative to the personal computer 20, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the invention as described in the specific embodiments disclosed herein, without departing from the spirit or scope of the invention as broadly described. For example, while the described embodiment uses cryptographic USB keys, alternate embodiments may provide an alternative means for securely storing Private Keys associated with Public Key Certificates that verify the age of the user, such alternative means including without limitation smartcards, mobile telephone Subscriber Identification Modules, hardware security modules, and "Trusted Platform Modules".
Further, it will be appreciated by persons skilled in the art of Public Key Infrastructure that there are numerous methods and processes available for generating Public Key - Private Key pairs, generating Public Key Certificates, and personalising and issuing cryptographic storage devices, and any suitable such method may be adopted in implementing the present invention.
While the embodiment described herein involves cryptographic storage devices and Public Key Certificates being issued by an institution, alternative embodiments can make use of outsourced managed service providers that issue storage devices and Public Key Certificates on behalf of the institution, under contract to the institution.
Further, while the present embodiment relates to verifying the age of users of online resources intended only for children, the present invention is applicable to enforcing other types of access control rules for online resources. Such other rules include without limitation verifying that the user has reached the age of majority, as may be attested to by a driver's license regulator or other suitable trusted body. Such verification of age of majority may be employed by social networking sites intended for adults only and/or sites providing classified content, adult content or gambling content, whether delivered via the Internet to personal computers and the like or via multimedia services to mobile telephones or other wireless devices.
Alternatively the present invention may be employed in verifying that the user attends a certain school, as may be attested to by that school or by a government department of education.
In other embodiments the demographic grouping may be by disease status, for example to attest to the user being free of sexually communicable diseases, as may be attested to by a certified health professional for example.
The demographic group may be membership of a romantic dating community, whereby the user's membership of the community is attested to by a community registrar. The demographic group may be membership of an online virtual world community or an online game such as a massively multiplayer online role playing game, whereby the user's membership of the community is attested to by a community registrar. In embodiments where community membership is verified, existing members of the community may be permitted to introduce new members by signing the new member's application using their Private Key and Public Key Certificate in order to effect an introduction.
The demographic group may be social security or old age benefit recipients, as may be attested to by a social security agency.
Still further, while the preferred embodiment has been described with reference to a personal computer for accessing online resources, it is to be appreciated that any computing device with network connectivity may be used in implementing the present invention. For example the computing device may comprise a suitably configured "multimedia" or 3G mobile telephone.
In a particular instance, this invention allows differentiation between children and adults in connection to controlling access to online resources intended only for children. In another instance, this invention allows differentiation of users in connection with online resources intended only for adults.
In one variation, a Certificate may be relied upon to verify that the user is a member of a particular demographic group, such as being within a particular age group, without requiring that any other personal details about the user such as their identity be revealed. This affords a means by which to establish the user's authorisation to access the resource in question, without requiring authentication of the user's identity nor use of a private key.
It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the invention as shown in the specific embodiments without departing from the scope of the invention as broadly described. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.

Claims

CLAIMS:
1. A method for controlling access to an electronically accessible resource provided for a defined demographic group, the method comprising: securely storing in a storage device of a user a cryptographic Private Key; issuing to the user a Public Key Certificate corresponding to said Private Key, the Public Key Certificate including data that indicates that the user is a member of the defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group; and an access control system associated with the electronically accessible resource using said Public Key Certificate to verify that the user is eligible to access the electronically accessible resource.
2. The method of claim 1 wherein the issuing is performed by or on behalf of the trusted third party and wherein the trusted third party is a body that, due to existing responsibilities, has the knowledge required to attest to the user's demographic status of interest.
3. The method of claim 1 or claim 2 wherein using said Public Key Certificate to verify that the user is eligible to access the electronically accessible resource comprises determining whether the Public Key Certificate chains back to a Root Certification Authority trusted by the access control system.
4. The method of claim 3 further comprising determining whether the Root Certification Authority avers that the Trusted Third Party is trusted to attest to demographic characteristics of the user.
5. The method of claim 4 further comprising accessing a code numbering schema maintained by the Root Certification Authority to identify which particular demographic characteristic is vouched for by the Trusted Third Party through the Public Key Certificate.
6. The method of any one of claims 1 to 5 wherein the demographic characteristic comprises at least one of: age; gender; race; religion; sexual orientation; income; special interests; membership or affiliation with a society, social networking site, online gaming community or virtual world; geographic or virtual location; nationality; residential jurisdiction; disease status; and entitlement to social security benefits or old age benefits.
7. The method of any one of claims 1 to 6 wherein the Public Key Certificate is anonymous in so far as the certificate contents do not include any personally identifiable information beyond the demographic characteristic averred by the Trusted Third Party.
8. The method of any one of claims 1 to 7 further comprising the access control system authenticating that the user is properly associated with the Public Key Certificate.
9. The method of claim 8 wherein the authenticating comprises the Private Key of the user producing a cryptogram from a challenge in a challenge-response protocol, whereby said cryptogram is verifiable by means of the Public Key Certificate corresponding to said Private Key.
10. The method of claim 8 or claim 9 wherein the authenticating comprises the Private Key of the user producing a cryptogram from a transactional data object, whereby said cryptogram is verifiable by means of the Public Key Certificate corresponding to said Private Key.
11. A method for providing a user with demographic verification, the method comprising: < securely storing in a storage device of the user a cryptographic Private Key; and issuing to the user a Public Key Certificate corresponding to said Private Key, the Public Key Certificate including data that indicates that the user is a member of a defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group, wherein the Public Key Certificate is such that an access control system associated with an electronically accessible resource provided for the defined demographic group can use said Public Key Certificate to verify that the user is eligible to access the electronically accessible resource.
12. A method for verifying user eligibility to access an electronically accessible resource provided for a defined demographic group, the method comprising: a user causing provision of a Public Key Certificate to an access control system associated with the electronically accessible resource; and the access control system verifying whether the user is eligible to access the electronically accessible resource by determining whether said signed Public Key Certificate includes data indicating that the user is a member of the defined demographic group, and determining whether the Public Key Certificate has been signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group.
13. A storage device securely storing a cryptographic Private Key, and a Public Key Certificate corresponding to said Private Key, the Public Key Certificate including data that indicates that the user is a member of a defined demographic group, and the Public Key Certificate being signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group.
14. The storage device of claim 13 wherein the storage device is kept in the possession of the user for other purposes, being at least one of a driver's license, student concession card, membership card, a telephone or a personal digital assistant (PDA).
15. The storage device of claim 13 or claim 14, the storage device comprising at least one of: a magnetic stripe card, a USB storage device, a cryptographic USB storage device, a smart card, a tamper resistant storage, a subscriber identity module (SIM) card, a hardware security module and a random access memory or read only memory of a telephone or PDA.
16. The storage device of any one of claims 13 to 15, wherein the storage device has a cryptographic function for generating Public Key / Private Key pairs, such that following generation the Private Key never leaves the confines of the storage device.
17. A computer program element comprising computer program code means to make a computer execute a procedure for controlling access to an electronically accessible resource, the computer program element comprising: computer program code means for obtaining from a user a Public Key Certificate; and computer program code means for verifying whether the user is eligible to access the electronically accessible resource by determining whether said signed Public Key Certificate includes data indicating that the user is a member of the defined demographic group, and determining whether the Public Key Certificate has been signed by or on behalf of a Trusted Third Party trusted to attest to the user being a member of the defined demographic group.
PCT/AU2008/001392 2007-09-19 2008-09-19 Verifying a personal characteristic of users of online resources WO2009036511A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2008301230A AU2008301230A1 (en) 2007-09-19 2008-09-19 Verifying a personal characteristic of users of online resources

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
AU2007216833 2007-09-19
AU2007216833 2007-09-19
AU2008901033A AU2008901033A0 (en) 2008-03-03 Verifying a personal characteristic of users of online resources
AU2008901033 2008-03-03

Publications (1)

Publication Number Publication Date
WO2009036511A1 true WO2009036511A1 (en) 2009-03-26

Family

ID=40467435

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2008/001392 WO2009036511A1 (en) 2007-09-19 2008-09-19 Verifying a personal characteristic of users of online resources

Country Status (2)

Country Link
AU (1) AU2008301230A1 (en)
WO (1) WO2009036511A1 (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102009031817A1 (en) * 2009-07-03 2011-01-05 Charismathics Gmbh Method for display, examination and distribution of digital certificates for use in public key infrastructure, involves evaluating confidential status for certificate of certificate owner
WO2011119809A2 (en) * 2010-03-25 2011-09-29 Boku, Inc. Systems and methods to provide access control via mobile phones
US8386353B2 (en) 2009-05-27 2013-02-26 Boku, Inc. Systems and methods to process transactions based on social networking
US8392274B2 (en) 2009-10-01 2013-03-05 Boku, Inc. Systems and methods for purchases on a mobile communication device
US8412626B2 (en) 2009-12-10 2013-04-02 Boku, Inc. Systems and methods to secure transactions via mobile devices
US8412155B2 (en) 2010-12-20 2013-04-02 Boku, Inc. Systems and methods to accelerate transactions based on predictions
US8543087B2 (en) 2011-04-26 2013-09-24 Boku, Inc. Systems and methods to facilitate repeated purchases
US8548426B2 (en) 2009-02-20 2013-10-01 Boku, Inc. Systems and methods to approve electronic payments
US8566188B2 (en) 2010-01-13 2013-10-22 Boku, Inc. Systems and methods to route messages to facilitate online transactions
US8583496B2 (en) 2010-12-29 2013-11-12 Boku, Inc. Systems and methods to process payments via account identifiers and phone numbers
US8583504B2 (en) 2010-03-29 2013-11-12 Boku, Inc. Systems and methods to provide offers on mobile devices
US8589290B2 (en) 2010-08-11 2013-11-19 Boku, Inc. Systems and methods to identify carrier information for transmission of billing messages
US8660911B2 (en) 2009-09-23 2014-02-25 Boku, Inc. Systems and methods to facilitate online transactions
US8699994B2 (en) 2010-12-16 2014-04-15 Boku, Inc. Systems and methods to selectively authenticate via mobile communications
US8700530B2 (en) 2009-03-10 2014-04-15 Boku, Inc. Systems and methods to process user initiated transactions
US8700524B2 (en) 2011-01-04 2014-04-15 Boku, Inc. Systems and methods to restrict payment transactions
US8768778B2 (en) 2007-06-29 2014-07-01 Boku, Inc. Effecting an electronic payment
US9191217B2 (en) 2011-04-28 2015-11-17 Boku, Inc. Systems and methods to process donations
CN105809434A (en) * 2014-12-31 2016-07-27 北京华虹集成电路设计有限责任公司 Second-generation USB Key method using operators network to transmit data and device
US9449313B2 (en) 2008-05-23 2016-09-20 Boku, Inc. Customer to supplier funds transfer
US9519892B2 (en) 2009-08-04 2016-12-13 Boku, Inc. Systems and methods to accelerate transactions
US9595028B2 (en) 2009-06-08 2017-03-14 Boku, Inc. Systems and methods to add funds to an account via a mobile communication device
US9652761B2 (en) 2009-01-23 2017-05-16 Boku, Inc. Systems and methods to facilitate electronic payments
US9697510B2 (en) 2009-07-23 2017-07-04 Boku, Inc. Systems and methods to facilitate retail transactions
US9830622B1 (en) 2011-04-28 2017-11-28 Boku, Inc. Systems and methods to process donations
US9990623B2 (en) 2009-03-02 2018-06-05 Boku, Inc. Systems and methods to provide information
CN108696349A (en) * 2017-03-31 2018-10-23 英特尔公司 The trusted third party that credible performing environment is used as proving to provide privacy
WO2020086668A1 (en) * 2018-10-23 2020-04-30 Visa International Service Association Validation service for account verification
EP3916687A1 (en) * 2020-05-28 2021-12-01 Morteo Appierto, Luciana Method and system for conditional access
US11558425B2 (en) * 2019-07-31 2023-01-17 EMC IP Holding Company LLC Dynamic access controls using verifiable claims

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001188757A (en) * 1999-12-28 2001-07-10 Nippon Telegr & Teleph Corp <Ntt> Service providing method using certificate
US6704787B1 (en) * 1999-12-03 2004-03-09 Intercard Payments, Inc. Date of birth authentication system and method using demographic and/or geographic data supplied by a subscriber that is verified by a third party
AU2004201058B1 (en) * 2004-03-15 2004-09-09 Lockstep Consulting Pty Ltd Means and method of issuing Anonymous Public Key Certificates for indexing electronic record systems
US20060047725A1 (en) * 2004-08-26 2006-03-02 Bramson Steven J Opt-in directory of verified individual profiles
US20080168548A1 (en) * 2007-01-04 2008-07-10 O'brien Amanda Jean Method For Automatically Controlling Access To Internet Chat Rooms

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6704787B1 (en) * 1999-12-03 2004-03-09 Intercard Payments, Inc. Date of birth authentication system and method using demographic and/or geographic data supplied by a subscriber that is verified by a third party
JP2001188757A (en) * 1999-12-28 2001-07-10 Nippon Telegr & Teleph Corp <Ntt> Service providing method using certificate
AU2004201058B1 (en) * 2004-03-15 2004-09-09 Lockstep Consulting Pty Ltd Means and method of issuing Anonymous Public Key Certificates for indexing electronic record systems
US20060047725A1 (en) * 2004-08-26 2006-03-02 Bramson Steven J Opt-in directory of verified individual profiles
US20080168548A1 (en) * 2007-01-04 2008-07-10 O'brien Amanda Jean Method For Automatically Controlling Access To Internet Chat Rooms

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8768778B2 (en) 2007-06-29 2014-07-01 Boku, Inc. Effecting an electronic payment
US9449313B2 (en) 2008-05-23 2016-09-20 Boku, Inc. Customer to supplier funds transfer
US9652761B2 (en) 2009-01-23 2017-05-16 Boku, Inc. Systems and methods to facilitate electronic payments
US8548426B2 (en) 2009-02-20 2013-10-01 Boku, Inc. Systems and methods to approve electronic payments
US9990623B2 (en) 2009-03-02 2018-06-05 Boku, Inc. Systems and methods to provide information
US8700530B2 (en) 2009-03-10 2014-04-15 Boku, Inc. Systems and methods to process user initiated transactions
US8386353B2 (en) 2009-05-27 2013-02-26 Boku, Inc. Systems and methods to process transactions based on social networking
US9595028B2 (en) 2009-06-08 2017-03-14 Boku, Inc. Systems and methods to add funds to an account via a mobile communication device
DE102009031817A1 (en) * 2009-07-03 2011-01-05 Charismathics Gmbh Method for display, examination and distribution of digital certificates for use in public key infrastructure, involves evaluating confidential status for certificate of certificate owner
US9697510B2 (en) 2009-07-23 2017-07-04 Boku, Inc. Systems and methods to facilitate retail transactions
US9519892B2 (en) 2009-08-04 2016-12-13 Boku, Inc. Systems and methods to accelerate transactions
US9135616B2 (en) 2009-09-23 2015-09-15 Boku, Inc. Systems and methods to facilitate online transactions
US8660911B2 (en) 2009-09-23 2014-02-25 Boku, Inc. Systems and methods to facilitate online transactions
US8392274B2 (en) 2009-10-01 2013-03-05 Boku, Inc. Systems and methods for purchases on a mobile communication device
US8412626B2 (en) 2009-12-10 2013-04-02 Boku, Inc. Systems and methods to secure transactions via mobile devices
US8566188B2 (en) 2010-01-13 2013-10-22 Boku, Inc. Systems and methods to route messages to facilitate online transactions
US8478734B2 (en) 2010-03-25 2013-07-02 Boku, Inc. Systems and methods to provide access control via mobile phones
WO2011119809A2 (en) * 2010-03-25 2011-09-29 Boku, Inc. Systems and methods to provide access control via mobile phones
WO2011119809A3 (en) * 2010-03-25 2011-12-29 Boku, Inc. Systems and methods to provide access control via mobile phones
US8583504B2 (en) 2010-03-29 2013-11-12 Boku, Inc. Systems and methods to provide offers on mobile devices
US8589290B2 (en) 2010-08-11 2013-11-19 Boku, Inc. Systems and methods to identify carrier information for transmission of billing messages
US8699994B2 (en) 2010-12-16 2014-04-15 Boku, Inc. Systems and methods to selectively authenticate via mobile communications
US8958772B2 (en) 2010-12-16 2015-02-17 Boku, Inc. Systems and methods to selectively authenticate via mobile communications
US8412155B2 (en) 2010-12-20 2013-04-02 Boku, Inc. Systems and methods to accelerate transactions based on predictions
US8583496B2 (en) 2010-12-29 2013-11-12 Boku, Inc. Systems and methods to process payments via account identifiers and phone numbers
US8700524B2 (en) 2011-01-04 2014-04-15 Boku, Inc. Systems and methods to restrict payment transactions
US9202211B2 (en) 2011-04-26 2015-12-01 Boku, Inc. Systems and methods to facilitate repeated purchases
US8774758B2 (en) 2011-04-26 2014-07-08 Boku, Inc. Systems and methods to facilitate repeated purchases
US8543087B2 (en) 2011-04-26 2013-09-24 Boku, Inc. Systems and methods to facilitate repeated purchases
US8774757B2 (en) 2011-04-26 2014-07-08 Boku, Inc. Systems and methods to facilitate repeated purchases
US9830622B1 (en) 2011-04-28 2017-11-28 Boku, Inc. Systems and methods to process donations
US9191217B2 (en) 2011-04-28 2015-11-17 Boku, Inc. Systems and methods to process donations
CN105809434A (en) * 2014-12-31 2016-07-27 北京华虹集成电路设计有限责任公司 Second-generation USB Key method using operators network to transmit data and device
CN108696349A (en) * 2017-03-31 2018-10-23 英特尔公司 The trusted third party that credible performing environment is used as proving to provide privacy
WO2020086668A1 (en) * 2018-10-23 2020-04-30 Visa International Service Association Validation service for account verification
US11558425B2 (en) * 2019-07-31 2023-01-17 EMC IP Holding Company LLC Dynamic access controls using verifiable claims
EP3916687A1 (en) * 2020-05-28 2021-12-01 Morteo Appierto, Luciana Method and system for conditional access

Also Published As

Publication number Publication date
AU2008301230A1 (en) 2009-03-26

Similar Documents

Publication Publication Date Title
WO2009036511A1 (en) Verifying a personal characteristic of users of online resources
US10652018B2 (en) Methods and apparatus for providing attestation of information using a centralized or distributed ledger
US11481768B2 (en) System and method of generating and validating encapsulated cryptographic tokens based on multiple digital signatures
US10829088B2 (en) Identity management for implementing vehicle access and operation management
US10410213B2 (en) Encapsulated security tokens for electronic transactions
JP2004519874A (en) Trusted Authentication Digital Signature (TADS) System
US20180205559A1 (en) Method and apparatus for authenticating a service user for a service that is to be provided
CN112507300A (en) Electronic signature system based on eID and electronic signature verification method
US11250423B2 (en) Encapsulated security tokens for electronic transactions
Fumy et al. Handbook of EID Security: Concepts, Practical Experiences, Technologies
US10867326B2 (en) Reputation system and method
Chadwick et al. Openid for verifiable credentials
Gladney Safe deals between strangers
Kumar et al. e-Authentication framework for e-governance review paper
JP2003115841A (en) Method and device for electronic authentication
Smedinghoff Federated identity management: balancing privacy rights, liability risks, and the duty to authenticate
Martínez-Peláez et al. Digital Pseudonym Identity for e-Commerce
Richards et al. It's Okay To Be A Dog On The Internet–Privacy And Trust In e-Government

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800027

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2008301230

Country of ref document: AU

ENP Entry into the national phase

Ref document number: 2008301230

Country of ref document: AU

Date of ref document: 20080919

Kind code of ref document: A

122 Ep: pct application non-entry in european phase

Ref document number: 08800027

Country of ref document: EP

Kind code of ref document: A1