View All Documents & Correspondence
Identity Assertion
Abstract: The present invention relates to using authorization information provided by an asserting agent to control identity-related interactions between a receiving agent and an identity agent, which acts on behalf of the asserting agent. The authorization information may be provided to the identity agent directly or through the receiving agent. When the asserting agent is asserting the identity of an associated entity to the receiving agent, the asserting agent delivers assertion information, which may but need not include the authorization information, to the receiving agent. The assertion information includes claim information that includes actual claims or identifies available claims. Upon receiving the assertion information, the receiving agent may interact with the identity agent. The identity agent will use the authorization information to control claim-related interactions with the receiving agent.
Notices, Deadlines & Correspondence
Patent Information
Applicants
NORTEL NETWORKS LIMITED
Inventors
1. JOHN H. YOAKUM
Specification
IDENTITY ASSERTION
[0001] This application claims the benefit of U.S. provisional application serial number 60/941,724 filed June 4,2007, the disclosure of which is incorporated herein by reference in its entirety.
Field of the Invention
[0002] The present invention relates to an entity's identity, and in particular to
controlling the assertion of an entity's identity.
Background of the Invention
[0003] The identity of an entity, such as a person, system, or object, relates to attributes or infomiation that is particulariy unique to that person, system, or object. The identity of an entity is often maintained through infomiatlon that is provided from any number of identity authorities, such as local, state, and federal governments. Other institutions, such as financial institutions, may have similar infonnation that is unique to a particular entity, and may help Identify a particular entity. Regardless of how Identity infomnation is created or who creates the identity infomnation, it becomes more and more important to protect identity information and keep identity information out of the wrong hands. The evolution of the Internet and electronic commerce requires more and more frequent exchanges of vulnerable identity infomiation. When kientity infomiation lands in the wrong hands, identity thieves can readily step into the identity of another, and conduct themselves as such in our electronic society. [0004] Given the damage that can occur when an identity is stolen, and the difficulty In recovering from a stolen identity, there is a continuing need for techniques to protect an entity's identity, yet allow the entity to fully participate in our electronic society. In particular, there is a need to avoM maintaining extensive identity information on portable electronic devices, which are often lost, thereby leaving valuable Identity infomiation readily accessible. There is a further need to minimize or limit the amount of ktentity infonnation that is
transferred over the Internet or like communication networks in association with communication sessions or electronic transactions.
Summary of the Invention
The present invention relates to using authorization information by an asserting agent to control identity-related interactions between a agent and an identity agent, which acts on t>ehalf of the asserting ie authorization information may be provided to the identity agent ' through the receiving agent. When the asserting agent is asserting the f an associated entity to the receiving agent, the asserting agent issertion information, which may but need not include the authorization )n, to the receiving agent. The assertion informatton Includes claim >n that is related to one or more claims, which define attributes of or jt the entity and relate to the identity of the entity or unique infomrtation d with the entity. The claim infomnation may include the actual claims ' available claims. Upon receiving the assertion information, the agent may interact with the kientity agent. In one embodiment, the agent interacts with the identity agent to verify certain claims d with the entity. In another embodiment, ttie receiving agent requests sociated with Vne entity from ttie identity agent. The Mentity agent will uthorization information to control claim-related interactions with the agent.
The authorizatton infomrvation may limit the ability of the identity agent t with the receiving agent according to different criteria. The tion infonnation may limit the number of interactions with the receiving iuthorize interacttons for a certain time period. For example, the tion information may only allow one interaction between tiie identity i the receiving agent, where a given interaction may require multiple ts between tiie kientity agent and the receiving agent to facilitate an n. Alternatively, \he authorization Information may only allow such
interactions for a 24-hour period prior to expiring, or for any interactions for a given session laetween the asserting agent and the receiving s^ent. [0007] The authorization infonnation may only allow interactions within a given context. As such, interactions between the identity agent and receiving agent may be limited to a given purpose or in association with a certain type of session between the asserting agent and the receiving agent. For example, only those of the entity's claims that relate to a defined purpoM and are stored on the identity agent are made available to the receiving agent. The given context may correspond to interactions with a receiving agent or receiving agents that are associated with a certain entity or defined group of entities. [0008] The authorization infonnation may limit the interaction between the identity agent and the receiving agent based on any combination of the above or other criteria. For example, the authorization information may be provided for a single use, within a set amount of time, for a single interaction, and within a defined context. The context may directly or indirectly identify a specific receiving agent or purpose for which the authorization infomiation is pertinent. Those skilled in the art will recognize numerous ways in which the authorization information may be configured to limit interactions between the identity agent and any number of receiving agents.
[0009] Those skilled in the art will appreciate the scope of the present invention and realize ackiitional aspects thereof after reading the fdiowlng detailed description of the preferred embodiments in association with the accompanying drawing figures.
grief pe^criptjonof tfie Prg^w'Pfl Fmres
[0010] The accompanying drawing figures incorporated in and forming a part
of this specification illustrate several aspects of the invention, and together with
the description serve to explain the principles of the inventton.
[0011] FIGURE 1 is a block representation of a communicatton environment
according to one embodiment of the present invention.
[0012] FIGURES 2A-2D show a communication flow Illustrating multiple identity assertions according to various embodiments of the present invention. [0013] FIGURE 3 is a block representation of an identity agent according to one embodiment of the present invention.
[0014] FIGURE 4 is a block representation of a user terminal according to one embodiment of the present invention.
Detailed Description of the Prefen^ed Embodiments
[0015] The embodiments set forth below represent the necessary infomnation to enable those skilled in the art to practice the invention and illustrate the best mode of practicing the invention. Upon reading the following description In light of the accompanying drawing figures, those skilled In the art will understand the concepts of the invention and will recognize applications of these concepts not particulariy addressed herein. It should be understood that these concepts and applications fall within the scope of the disclosure and the accompanying claims. [0016] In many instances, it is desirable to assert the kientity of an entity from one device to another in an effort to establish a level of trust between the two devices or entities associated th^ewith. A device that is asserting the identity of an associated entity is referred to as an asserting agent, while a device to whteh the entity's identity is being asserted is referred to as a receiving agent. With reference to Figure 1, a communication environment is illustrated to include a communication network 10, which supports communications between various user tenninals 12, such as fixed telephone temninals, mobile telephone terminals, and personal computers. Any user tenninal 12 may be an asserting agent 14 or a receiving agent 16 for a given situation. An entity may represent a person that is associated with a user terminal 12; a system, such as a user terminal 12, server, computer, or web site; an object, or the like. Accordingly, an asserting agent 14 or receiving agent 16 may be a function that runs on a devtoe that represents the entity. Alternatively, the entity may be a person, system, or object, and the asserting agent 14 or receiving agent 16 may be a devk» or function running on a devk» that is associated with the person, system, or object.
[0017] The identity for an entity may be defined by one or more claims. In some situations, claims are provided in a credential. Claims conrespond to attributes of or facts about the entity and relate to the entity's Identity or unique information associated with the entity. A credential is a mechanism for associating a select group of claims for an entity and may be provided by an appropriate authority, which is referred to as an identity authority 18. For example, a driver's license or passport is a credential, and information thereon, such as the document number, social security number, age, height, expiration date, residence information, citizenship, biometric infomnation, and the like may represent claims for the respective credentials. Credit or debit cards may also be considered credentials, where the associated card numbers, expiration dates, and security codes are claims of the credit cards. Another credential example includes web certificates that are used for verifying the identity of w«b servers and the like.
[0018] In essence, an asserting agent 14 asserts the identity of an associated entity such that a receiving agent 16 can detemnine to a desired level of confidence that the asserting agent 14 or associated entity is who they say they are. Once this determination is made, the asserting agent 14 and the receiving agent 16 may establish a session or provide certain communications over an established session. When asserting the identity of an entity, the asserting agent 14 may take some action to have certain of the entity's claims delivered to the receiving agent 16, which will process the claims to determine if and how to interact with the asserting agent 14. in many cases, the receiving agent 16 uses the claims to detemilne with sufficient certainty that the entity associated with the asserting device corresponds to the kjentity being asserted. Based on such detemiinatlon, the receiving agent 16 may detennine v^ether to interact with the asserting agent 14, how to interact with the asserting agent 14. or both. [0019] As noted, asserting the identity of an entity involves presenting one or more claims of the entity to a receiving agent 16, which may process the claims to detemnlne whether to engage the asserting agent 14. The claims may be presented to the receiving agent 16 directly by the asserting agent 14 as well as
indirectly by an Identity agent 20, which acts on behalf of the asserting agent 14. The identity agent 20 will have a trustworthy relationship with the asserting agent 14, and may be configured to store certain claims and related information of the entity associated with asserting agent 14 and provide such infomnation to the receiving agent 16 upon request. The identity agent 20 may also be configured to verify certain infonnation, such as claims, credentials, or related infonnation of the entity for the receiving agent 16.
[0020] In one embodiment, the identity agent 20 may store claims of the entity as well as be configured to verify information of the entity based on certain of the entity's claims, prior to an identity assertion by the asserting agent 14. In response to an identity assertion, the receiving agent 16 may obtain certain of the claims of the entity from the identity agent 20. have the identity agent 20 verify information of the entity based on claims that were received from the asserting agent 14 by the receiving agent 16, or both. [0021] Accordingly, the receiving agent 16 may interact with the identity agent 20 in various ways in response to the asserting agent 14 asserting the Identity of an associated entity to the receiving agent 16. For the present invention, the asserting agent 14 must authorize some or all interactions between the identity agent 20 and the receiving agent 16 in association with an identity assertion by the asserting agent 14 to the receiving agent 16. In particular, the asserting agent 14 will provide authorization information, which govems the interactions that are appropriate between the identity agent 20 and the receiving agent 16. The authorization infonnation may be passed directly to the identity agent 20 or may be sent to the receiving agent 16, which will provkde the authorization infonnation to the identity agent 20. Regardless of how the authorization information is received from the asserting agent 14, the identity agent 20 will use the authorization infonnation to control interactions with the re(»hnng agent 16. [0022] The authorization information may limit the ability of the identity agent 20 to interact with the receh/Ing agent 16 according to different criteria. The authorization information may limit the number of interac^ons with the receiving agent 16 or authorize interactions for a certain time period. For example, tiie
authorization information may only allow one interaction between the identity agent 20 and the receiving agent 16, where a given interaction may require multiple exchanges t)etween the identity agent 20 and the receiving agent 16 to facilitate a given interaction. Altematively, the authorization infomnation may only allow such interactions for a 24-hour period prior to expiring or for any interactions for a given session between the asserting agent 14 and the receiving agent 16.
[0023] The authorization infonnation may only allow interactions within a given context. As such, interactions between the Identity agent 20 and receiving agent 16 may be limited to a given purpose or in association with a certain type of session between the asserting agent 14 and the receiving agent 16. For example, only those of the entity's claims that relate to a defined purpose for the interaction or session and are stored on the identity agent 20 are made available to the receiving agent 16. The given context may correspond to Interactions with a particular receiving agent 16 or receiving agents 16 that are associated with a certain entity or defined group of entities. For example, the authorization information may dictate that only interactions for credit card authorizations or secured video conferences are allowed in general or for a particular entity. The authorization infomnation may limit the interaction between the identity agent 20 and the receiving agent 16 based on any combination of the above or other criteria. As another example, the authorization infomnation may be provided for a single use, within a set amount of time, for a single interaction, and within a defined context. As noted, the context may directly or indirectly Identify a specific receiving agent 16 or purpose for which the authorization infomnation is pertinent. [0024] In another embodiment, the authorization information may dictate how much infomnation, including credentials or claims, of the entity nnay be provided to a receiving ager^ 16 in general, or \Mthin a given context. For example, if the context is a credit card transaction that requires a ¥alrd govemment-issued ID that has a name corresponding to the name on the credit card, the infomnation provided to the receiving agent 16 may merely indicate that a valid govemment-issued ID that matches the credit card does exist, but not send all of the claims
associated with the government-issued ID. Only the claims corresponding to the credit card information and the indication that the government-issued ID exists need to be provided to the receiving agent 16. As such, the important identity infomfiation is secured, and only such information that Is necessary or required is provided to the receiving agent 16. In another example, assume that a session cannot be established with someone who Is under 21 years of age. For an Identity assertion for an entity who is 32, the identity agent 20 may be instructed using the appropriate authorization information to only respond to age requests by indicating that the entity Is over 21, instead of providing the exact birth date and other confidential claims that are often associated with a credential that provides such Infonnation. Accordingly, social security numbere, driver's license numbers, or passpori: numbers may be maintained In confidence, yet the receiving agent 16 is able to confinn that the entity Is over 21 for a given session, which may relate to purchasing alcohol or accessing certain nfiedia content. [0025] With the present invention, the use of the identity agent 20 and allowing the asserting agent 14 to control the identity agent 20 allows an entity to maintain complete control over the identity agent 20. In certain scenarios, each interaction must be authorized in a specific context for a certain session for interaction. Those skilled In the art will recognize numerous ways in which the authorization information may be configured to limit Interactions between the identity agent 20 and any number of receiving agents 16. [0026] With reference now to Figures 2A through 2D, a conrununicatlon flow Is provided to illustrate various scenarios for asserting the Identity of an entity associated with the asserting agent 14 to receiving agents 16A and 16B, respectively. The communication flows illustrate how authorization infonnation provided by the asserting agent 14 may be used to control the interaction between the Identity agent 20 and one of the recel\Hng is^nts 16A, 16B according to different scenarios.
[0027] With reference to Figure 2A, assume that the asserting agent 14 nstceives and stores non-credential claims, which are claims that nnay not be associated with a particular credential (step 100). Further, assume that the
identity autliority 18 issues a credential with various credential claims (step 102), and delivers the credential with the credential claims to the asserting agent 14 (step 104). In certain embodiments, the identity authority 18 may be configured to deliver a credential and certain credential claims directly to the identity agent
^ 20 upon authorization by the asserting agent 14, or other user terminal 12 associated with the entity (step 106). Altematively, the asserting agent 14 may provide certain credentials and claims, either non-credential claims or credential claims, to the identity agent 20 (step 108). The identity agent 20 will store the credentials and claims for the entity (step 110). The identity agent 20 may also be provisioned by the entity to manage the claims and credentials, along with any other information desired by the entity. The entity may establish a control profile that allows the identity agent 20 to interact with the various receiving agents 16A, 16B and control such interaction in light of authorization infomnation that is received directly fi-om the asserting agent 14 or from the asserting agent 14 via the receiN^ng agent 16A, 16B. As noted above, the identity agent 20 may be able to provide certain infomnatlon to the receiving agents 16A, 16B as well as verify Information for the receiving agents 16A, 168, assuming such Interactions are authorized by the asserting agent 14.
[0028] For the first scenario, the asserting agent 14 is asserting the identity of the entity associated with the asserting agent 14 to the receiving agent 16A. The receiving agent 16A will receive claims from the asserting agent 14 and request that the identity agent 20 verify the authenticity of these claims or other infomnation associated with the entity based on the claims. The authorization information for the interaction between the identity agent 20 and the receiving
5 agent 16A is passed directly to the identity agent 20 from the asserting agent 14. p)029] Accordingly, the asserting agent 14 will determine to initiate a session with the receiving agent 16A (step 112) and send a session initiation message toward the receiving agent 16A (step 114). The asserting agent 14 will also generate authorization information, which will control how the identity agent 20
0 interacts with the receiving agent 16A (step 116). In this example, the asserting agent 14 will send the authorization Information directly to the identity agent 20
(step 118). The authorization information may be provided for a single use, within a set amount of time, for a single interaction, within a defined context, or any combination thereof. In this example, assume that the authorization information at least allows the identity agent 20 to verify information that is associated with the entity in response to receiving the claim infonnation for the entity from the receiving agent 16A.
[0030] Next, the asserting agent 14 may assert the identity of the entity to the receiving agent 16A by sending identity assertion infomiation to the receiving agent 16A (step 120). The identity assertion information may include claims, such as Claim A and Claim B, or other related claim infonnation, along with the identity or unifonn resource identifier (URI) for the identity agent 20. As such, the receiving agent 16A can use the identity agent URI to send a verification request to verify certain infomiation for the entity to the identity agent 20 (step 122). Assume that the verification request included olainrrs A and B for the entity, and indicated the desire to verify these claims and certain other informatton associated with the entity. The identity agent 20 will recei>^ the verification request and process the verification request based on the prwiously received authorization infonnation (step 124). in this example, the identity agent 20 is authorized to process the verification request, wherein the verification request is based on claims of tiie entity. If the verification request does not correspond with the authorization provided in the authorization information, the identity agent 20 will limit the verification response or avoid interacting with the receiving agent 16A altogether. Since the Identity agent 20 is authorized to interact with the receiving agent 16A in ttie illusti'ated example, a verification rmponse is provided to the receiving agent 16A (step 126). which will process the verification response (step 128) and proceed as desired. In this example, the receiving agent ISA is configured to respond to Uie verification response by establishing a trust relationship and a session witti tiie asserting agent 14 (step 130). [0031] In the next scenario, the authorization infonnation is not provided directly to the identity agent 20. Instead, the asserting agent 14 will provide ttie authorization infonnation for conti-otling the interaction between the identity agent
20 and the receiving agent 16B directly to the receiving agent 16B. Further, the authorization infomnation is provided along with the identity assertion infonnation. Accordingly, the asserting agent 14 may detemnine to initiate a session with ttie receiving agent 16B (step 132) and send a session Initiation message toward the receiving agent 168 (step 134). The asserting agent 14 will generate authorization information to control the interaction between the identity agent 20 and the receiving agent 168 (step 136) and deliver identity assertion information toward the receiving agent 168 (step 138). The identity assertion infomiation is once again the vehicle for asserting the Identity of the entity to the receiving agent 168. The identity assertion infomnation not only includes the claims A and 8 and the identity agent URI, but also Includes the authorization information. The receiving agent 168 may once again send a verification request to verify claims A and 8 or other infomiation associated with the entity based on claims A and 8 (step 140). The verification request may also include the authoriation infomiation, and as such, the identity agent 20 will recognize the authorization information and process the verification request based on the authorisation infomnation (step 142). Assuming an interaction is authorized with the receiving agent 168 for this scenario, the identity agent 20 will provicte a verification response to the receiving agent 168 (step 144). The receiving agent 168 will process the verification response (step 146), and assuming the verification was positive, a session is established between the asserting agent 14 and the receiving agent 168 (step 148). Although the authorization infomiation is shown as being carried in the identity assertion Infomiation as well as in the verification request, the authorization information may be provided in the same or different messages as the identity assertion Infomiation and verification request. [0032] For the next scenario, the authorization information Is delivered directly to tiie identity agent 20; however, the identity agent 20 is capable of delivering Information, such as claims for ttie entity, to the reoiivino agent 16A. Accordingly, the asserting agent 14 may determirra to initiate a session with the receiving agent 16A (step 150), and send the corresponding session initiation message toward the receiving agent 1^ (step 152). Again, tiie asserting agent
14 will generate authorization infonnation to control the interaction between the identity agent 20 and the receiving agent 16A (step 154), and send the authorization infonnation directly to the identity agent 20 (step 156). [0033] In this example, the asserting agent 14 does not store certain claims associated with the entity, but recognizes that these claims are provided by the identity agent 20. Accordingly, the asserting agent 14 will assert the identity of the associated entity to the receiving agent 16A using Identity assertion information (step 158). The identity assertion information may include information indicating that claims C and D are available (GET CLAIMS C, D) from
I the identity agent 20 using the identity agent URI. Upon receiving the Identity assertion Infonnation, the nsceiving agent 16A may send a claim request to the identity agent 20 to obtain claims C and D (step 160). The klentity agent 20 will process the claim request based on the authorization information (step 162). Assuming the claim request was authorized by the asserting agent 14, the
> identity agent 20 will access claims C and D of the entity and provide them in a daim response to the receiving agent 16A (step 164). The receiving agent 16A may process the claims C and D (step 166), and if so (tesired, continue with establishing a trustworthy relationship and session with the asserting agent 14 (step 168).
[0034] For the final scenario, assume that the authorization infonnation from the prior example Is sent to the receiving agent 16B In the identity assertion infonnation, instead of being sent directly to the identity agent 20. Thus, the receiving agent 16B must t»-esent the authorization information to the identity agent 20. Continuing with the communication flow, assume that the asserting agent 14 detemnines to Initiate a session with the receivir^ agent 16B (step 170) and sends a session initiation message toward the recei>4ng agent 168 (step 172). The asserting agent 14 may generate the appropriate authorization information to control the interaction of the identity agent 20 and the receiving agent 16B (step 174), and provide the authorization Information along wtth the assertion infonnation to the receiving agent 16B (step 176). As In the prior example, the identity assertion Information asserts the infonnation for the entity
by instructing the receiving agent 16B to get claims C and D from the identity agent 20 using the identity agent URI. The receiving agent 16B will generate a claim request, which includes the authorization infomiation and instructions to obtains claims C and D, and will send the daim request to the identity agent 20 (step 178). The identity agent 20 will process the claim request based on the authorization information (step 180), and if the interaction between the identity agent 20 and the receiving agent 16B is authorized, the kientity agent 20 will provide a claim response, which includes claims C and D, to the receiving agent 168 (step 182). The receiving agent 168 will process claims C and D, and any other infomfiation received from the identity agent 20 (step 184), to detemnine whether to establish a trustworthy relationship with the asserting agent 14 and a session therewith (step 186).
[0035] In the above examples, the identity assertion was provided in association with initiating a session from the asserting agent 14. Those sidlled in the art will recognize that an identity assertion may take place prior to initiating a session or after a session has been established. Further, the asserting agent 14 need not be the agent that initiates a session with which the ictentity assertion is associated.
[0036] With the present invention, claims or credentials that are used for identity assertion may be stored in the asserting agent 14, the identity agent 20, or a combination thereof. In certain scenarios, the asserting agent 14 will store all of the claims or credentials necessary for inter»:tion8 initiated by the asserting agent 14. In other scenarios, the claims and credentials may all be stored at the identity agent 20, while the asserting agent 14 does not store any credentials or claims. In other scenarios, the claims may be distributed between the asserting agent 14 and the identity agent 20. Accordingly, the receiving agent 16 may use claims received from the asserting agent 14 to verify certain infomfiation for the entity, as well as recei>m claims that are not stored on ttie asserting agent 14 from the identity agent 20. Further, multiple identity agents 20 may be L»ed to store different credentials or claims for a given entity. As such, the credentials or claims are distributed anriong various identity agents 20. To verify infomiation for
the entity or obtain credentials or claims for the entity, a receiving agent 16 may be required to Interact with different ones of the Identity agents 20 for a particular identity assertion. In such a scenario, the credentials and claims for an identity of an entity are substantially safeguarded, especially when the credentials or claims that are stored on the asserting agent 14 are limited. In these scenarios, different authorization infonnatlon may be created for different Identity agents 20, wherein different identity agents 20 are able to prox^de different identity assertion functions for the receiving agent 16.
[0037] With reference to Figure 3, a block representation of an identity agent 20 is illustrated according to one embodiment of the present invention. The identity agent 20 may include a control system 22 having sufficient memory 24 for the requisite software 26 and data 28 to operate as described at)ove. The control system 22 may also be associated with a communication Interface 30 to facilitate communications over the communication network 10. PN)38] With reference to Figure 4, a user temiinai 12 is illustrated according to one embodiment of the present Invention. The user tennlnal 12 may include a control system 32 having sufficient memory 34 for the requisite software 36 and data 38 to provide an asserting agent 14 or a receiving agent 16, as described above. The control system 32 may be associated with a communication interface 40 to facilitate communications over the communication network 10 In a direct or indirect fashion. Further, the control system 32 may be associated with a user interface 42 to facilitate Interaction with the user, as well as support communication sessions with other user terminals 12. Thus, the user Interface 42 may Include a microphone, speaker, keyboard, disptay, and the like, which operate In traditional fashion for traditional functtonallty. [0039] Those skilled In the art will recognize improvements and modifications to the prefenred embodiments of the present Invention. All such improvements and modifications are considered within the scope of the concepts disclosed herein and the claims that folkjw. 30
Claims
What is claimed is:
1. A method for operating an identity agent comprising:
• obtaining authorization infomnation originated from an asserting agent in association with the asserting agent asserting an identity to a receiving agent, the authorization infomnation configured to control an identity-related interaction between the identity agent and the receiving agent;
• providing the identity-related interaction; and
• controlling the identity-related interaction based on the authorization information.
2. The method of claim 1 wherein the authorization Infomiation is configured to authorize a single identity-related interaction between the Identity agent and the receiving agent.
3. The method of claim 1 wherein the authorization information is conf^ured to authorize at least one identity-related interaction between the identity agent and the receiving agent for a limited duration.
4. The method of claim 1 wherein the authorization infomiation is configured to authorize identity-related interactions between the identity agent and only the receiving agent
5. The method of claim 1 wherein the authorization information is configured to authorize at least one identity-related interaction for a defined purpose between the identity agent and the receiving agent.
6. The method of daim 1 wherein the asserting £^ent is asserting the identity to the receiving agent in association with a session established or to be established between the asserting agent and the receiving agent, ttw
authorization information configured to authorize at least one identity-related interaction between the identity agent and the receiving agent if the session is of a certain type.
7. The method of claim 1 wherein the authorization infomiation Is configured to authorize at least one identity-related interaction for a defined purpose and for a limited duration.
8. The method of claim 1 wherein the authorization information is configured to authorize only a single identity-related interaction for a defined purpose and for a limited duration.
9. The method of claim 1 wherein obtaining the authorization infomiation comprises receiving the authorization infomiation from the asserting agent.
10. The method of claim 1 wherein the authorization infomrtation is provided to the receiving agent from the asserting agent, and obtaining the authorization information comprises receiving the authorization infomnation from the receiving agent.
11. The method of claim 1 wherein the Identity-related interaction conesponds to a request for at least one identity^reiated claim that is associated with the entity, and controlling the identity-related interaction comprises:
• determining whether to provide the at least one ictentlty-related claim to the receiving agent; and
• providing the at least one identity-related claim to the receiving agent if the authorization infomiation allows the at least one identity-related claim to be provided to the receiving agent.
12. The method of claim 1 wherein the Klentity-reiated interaction corresponds
to a request to verify information based on at least one identity-related
claim that is associated witli the entity, and confrolling the identity-related interaction comprises:
• detennining whether to verify the information based on the at least one identity-related claim; and
• verify the at least one identity-related daim for the receiving agent if the authorization infomiation allows the information to be verified for the receiving agent.
13. The method of claim 1 wherein providing the identity-related infomiation
comprises receiving a request for Information associated witii a credential
comprising a plurality of claims, and controlling the identity-related
interaction comprises:
• identifying only select ones of tiie plurality of dalms to use for responding to the request based on the authorization information; and
• providing the select ones of the plurality of claim to ttie receiving agent.
14. The metiiod of claim 1 wherein providing the identity-reiated information
comprises receiving a request is for infonnation associated with a
credential comprising a plurality of claims, and controlling the identity-
related interaction comprises:
• generating ctelm-related infomnation based on at least one of the plurality of claims based on tiie authorization infonnation; and
• providing the claim-related infomiation to tiie receiving agent.
15. The method of daim 1 wherein the asserting agent is provided by a first user temninal.
16. The method of daim 1 wherein the receiving agent is prw/ided by a first user temninal.
17. The method of daim 1 wherein the entity is assodated with a plurality of identity-related clainw, and a first group of the plurality of identity-related claims are stored on the asserting agent and a second group of the plurality of identity-related claims are stored on the identity agent and not the asserting agent, wherein the identity-related interaction involves the second group of the plurality of identity-related claims.
18. The method of claim 17 wherein the first group of ttie plurality of identity-related claims are provided to the receiving agent by the asserting agent.
19. An identity agent comprising:
• a communication interface; and
• a control system associated with the comntunication interfece and adapted to:
• obtain authorization information originated from an asserting agent in association with the assertir^ agent as^rting an identity to a receiving agent, the authorization Information configured to control an identity-related Interaction between the identity agent and the receiving agent;
• provide the identity-related interaction; and
• control the identity-related interaction based on the authCMization infomnation.
20. A method comprising:
• providing a plurality of Identity agents; and
• at each of the plurality of identity agents and in association with a session between an asserting agent and a receiving agent:
• obtaining authorization infomnation originated from the asserting
agent in association with the assertir^ agent asserting an
identity to the receiving agent, the authorization information
configured to control identity-related interactions k)etween each of the plurality of Identity agents and the receh/ing agent;
• providing a unique identity-related interaction; and
• controlling a corresponding one of the unique identity-related interactions based on the authorization infomiatlon.
21. The nnethod of daim 20 wherein at least one of the unique identity-related
interactions corresponds to a request for at least one identity-related claim
that is associated with the entity, and controlling the at least one of the
unique identity-related interactions comprises:
• determining whether to provide the at least one identity-related claim to the receiving agent; and
• providing the at least one identity-related daim to the receiving agent if the authorization information allows the at least one claim to be provided to the receiving agent.
22. The method of claim 20 wherein at least one of the unique identity-related
interactions corresponds to a request to verify Infomiatlon based on at
least one identity-related claim that is associated with the entity, and
controlling the at least one of the unique kJentityHrelated interactions
comprises:
• determining whether to verify the Infonnation based on the at least one identity-related claim; and
• verify the at least one identity-related daim for the receiving agent if the authorization information allows the information to be verified for the receiving agent.
23. The method of daim 20 wherein obtaining the authorization infomrtaticMi for
at least one of the plurality of identity agents comprises receivmg the
authorization information from the asserting agent.
24. The method of claim 20 wherein the authorization infomiation is provided
to the receiving agent from the asserting agent, and obtaining the
authorization information for at least one of the plurality of identity agents
comprises receiving the authorization infomiation from the receiving agent.
Documents
Orders
| Section | Controller | Decision Date |
|---|---|---|
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 7162-chenp-2009 pct search report 07-12-2009.pdf | 2009-12-07 |
| 1 | 7162-CHENP-2009-US(14)-ExtendedHearingNotice-(HearingDate-09-09-2020).pdf | 2021-10-03 |
| 2 | 7162-chenp-2009 pct 07-12-2009.pdf | 2009-12-07 |
| 2 | 7162-CHENP-2009-Covering Letter [15-05-2021(online)].pdf | 2021-05-15 |
| 3 | 7162-CHENP-2009-PETITION u-r 6(6) [15-05-2021(online)].pdf | 2021-05-15 |
| 3 | 7162-chenp-2009 others 07-12-2009.pdf | 2009-12-07 |
| 4 | 7162-CHENP-2009-Abstract_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 4 | 7162-chenp-2009 form-5 07-12-2009.pdf | 2009-12-07 |
| 5 | 7162-CHENP-2009-Claims_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 5 | 7162-chenp-2009 form-3 07-12-2009.pdf | 2009-12-07 |
| 6 | 7162-CHENP-2009-Description_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 6 | 7162-chenp-2009 form-2 07-12-2009.pdf | 2009-12-07 |
| 7 | 7162-CHENP-2009-Drawings_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 7 | 7162-chenp-2009 form-1 07-12-2009.pdf | 2009-12-07 |
| 8 | 7162-CHENP-2009-IntimationOfGrant25-09-2020.pdf | 2020-09-25 |
| 8 | 7162-chenp-2009 drawings 07-12-2009.pdf | 2009-12-07 |
| 9 | 7162-chenp-2009 description (complete) 07-12-2009.pdf | 2009-12-07 |
| 9 | 7162-CHENP-2009-Marked up Claims_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 10 | 7162-chenp-2009 correspondence others 07-12-2009.pdf | 2009-12-07 |
| 10 | 7162-CHENP-2009-PatentCertificate25-09-2020.pdf | 2020-09-25 |
| 11 | 7162-chenp-2009 claims 07-12-2009.pdf | 2009-12-07 |
| 11 | 7162-CHENP-2009-8(i)-Substitution-Change Of Applicant - Form 6 [24-09-2020(online)].pdf | 2020-09-24 |
| 12 | 7162-chenp-2009 abstract 07-12-2009.pdf | 2009-12-07 |
| 12 | 7162-CHENP-2009-ASSIGNMENT DOCUMENTS [24-09-2020(online)].pdf | 2020-09-24 |
| 13 | 7162-CHENP-2009 CORRESPONDENCE OTHERS 11-03-2010.pdf | 2010-03-11 |
| 13 | 7162-CHENP-2009-PA [24-09-2020(online)].pdf | 2020-09-24 |
| 14 | 7162-CHENP-2009 POWER OF ATTORNEY 05-07-2010.pdf | 2010-07-05 |
| 14 | 7162-CHENP-2009-Written submissions and relevant documents [24-09-2020(online)].pdf | 2020-09-24 |
| 15 | 7162-CHENP-2009 FORM-18 03-06-2011.pdf | 2011-06-03 |
| 15 | 7162-CHENP-2009-Correspondence to notify the Controller [08-09-2020(online)].pdf | 2020-09-08 |
| 16 | 7162-CHENP-2009 CORRESPONDENCE OTHERS 03-06-2011.pdf | 2011-06-03 |
| 16 | 7162-CHENP-2009-Correspondence to notify the Controller [20-04-2020(online)].pdf | 2020-04-20 |
| 17 | 7162-CHENP-2009-US(14)-HearingNotice-(HearingDate-08-04-2020).pdf | 2020-03-20 |
| 17 | 7162-CHENP-2009 FORM-18 07-06-2011.pdf | 2011-06-07 |
| 18 | 7162-CHENP-2009 CORRESPONDENCE OTHERS 07-06-2011.pdf | 2011-06-07 |
| 18 | 7162-CHENP-2009-AMENDED DOCUMENTS [27-12-2018(online)].pdf | 2018-12-27 |
| 19 | 7162-CHENP-2009-FER.pdf | 2017-07-26 |
| 19 | 7162-CHENP-2009-FORM 13 [27-12-2018(online)].pdf | 2018-12-27 |
| 20 | 7162-CHENP-2009-PETITION UNDER RULE 137 [24-01-2018(online)].pdf | 2018-01-24 |
| 20 | 7162-CHENP-2009-RELEVANT DOCUMENTS [27-12-2018(online)].pdf | 2018-12-27 |
| 21 | 7162-CHENP-2009-FORM 13 [06-11-2018(online)].pdf | 2018-11-06 |
| 21 | 7162-CHENP-2009-OTHERS [24-01-2018(online)].pdf | 2018-01-24 |
| 22 | 7162-CHENP-2009-Information under section 8(2) (MANDATORY) [24-01-2018(online)].pdf | 2018-01-24 |
| 22 | 7162-CHENP-2009-RELEVANT DOCUMENTS [06-11-2018(online)].pdf | 2018-11-06 |
| 23 | 7162-CHENP-2009-FORM-26 [24-01-2018(online)].pdf | 2018-01-24 |
| 23 | Correspodence by Agent_Power Of Attorney_29-01-2018.pdf | 2018-01-29 |
| 24 | 7162-CHENP-2009-FER_SER_REPLY [24-01-2018(online)].pdf | 2018-01-24 |
| 24 | 7162-CHENP-2009-ABSTRACT [24-01-2018(online)].pdf | 2018-01-24 |
| 25 | 7162-CHENP-2009-CLAIMS [24-01-2018(online)].pdf | 2018-01-24 |
| 25 | 7162-CHENP-2009-DRAWING [24-01-2018(online)].pdf | 2018-01-24 |
| 26 | 7162-CHENP-2009-COMPLETE SPECIFICATION [24-01-2018(online)].pdf | 2018-01-24 |
| 27 | 7162-CHENP-2009-CLAIMS [24-01-2018(online)].pdf | 2018-01-24 |
| 27 | 7162-CHENP-2009-DRAWING [24-01-2018(online)].pdf | 2018-01-24 |
| 28 | 7162-CHENP-2009-ABSTRACT [24-01-2018(online)].pdf | 2018-01-24 |
| 28 | 7162-CHENP-2009-FER_SER_REPLY [24-01-2018(online)].pdf | 2018-01-24 |
| 29 | 7162-CHENP-2009-FORM-26 [24-01-2018(online)].pdf | 2018-01-24 |
| 29 | Correspodence by Agent_Power Of Attorney_29-01-2018.pdf | 2018-01-29 |
| 30 | 7162-CHENP-2009-Information under section 8(2) (MANDATORY) [24-01-2018(online)].pdf | 2018-01-24 |
| 30 | 7162-CHENP-2009-RELEVANT DOCUMENTS [06-11-2018(online)].pdf | 2018-11-06 |
| 31 | 7162-CHENP-2009-FORM 13 [06-11-2018(online)].pdf | 2018-11-06 |
| 31 | 7162-CHENP-2009-OTHERS [24-01-2018(online)].pdf | 2018-01-24 |
| 32 | 7162-CHENP-2009-PETITION UNDER RULE 137 [24-01-2018(online)].pdf | 2018-01-24 |
| 32 | 7162-CHENP-2009-RELEVANT DOCUMENTS [27-12-2018(online)].pdf | 2018-12-27 |
| 33 | 7162-CHENP-2009-FER.pdf | 2017-07-26 |
| 33 | 7162-CHENP-2009-FORM 13 [27-12-2018(online)].pdf | 2018-12-27 |
| 34 | 7162-CHENP-2009 CORRESPONDENCE OTHERS 07-06-2011.pdf | 2011-06-07 |
| 34 | 7162-CHENP-2009-AMENDED DOCUMENTS [27-12-2018(online)].pdf | 2018-12-27 |
| 35 | 7162-CHENP-2009 FORM-18 07-06-2011.pdf | 2011-06-07 |
| 35 | 7162-CHENP-2009-US(14)-HearingNotice-(HearingDate-08-04-2020).pdf | 2020-03-20 |
| 36 | 7162-CHENP-2009-Correspondence to notify the Controller [20-04-2020(online)].pdf | 2020-04-20 |
| 36 | 7162-CHENP-2009 CORRESPONDENCE OTHERS 03-06-2011.pdf | 2011-06-03 |
| 37 | 7162-CHENP-2009-Correspondence to notify the Controller [08-09-2020(online)].pdf | 2020-09-08 |
| 37 | 7162-CHENP-2009 FORM-18 03-06-2011.pdf | 2011-06-03 |
| 38 | 7162-CHENP-2009 POWER OF ATTORNEY 05-07-2010.pdf | 2010-07-05 |
| 38 | 7162-CHENP-2009-Written submissions and relevant documents [24-09-2020(online)].pdf | 2020-09-24 |
| 39 | 7162-CHENP-2009 CORRESPONDENCE OTHERS 11-03-2010.pdf | 2010-03-11 |
| 39 | 7162-CHENP-2009-PA [24-09-2020(online)].pdf | 2020-09-24 |
| 40 | 7162-chenp-2009 abstract 07-12-2009.pdf | 2009-12-07 |
| 40 | 7162-CHENP-2009-ASSIGNMENT DOCUMENTS [24-09-2020(online)].pdf | 2020-09-24 |
| 41 | 7162-chenp-2009 claims 07-12-2009.pdf | 2009-12-07 |
| 41 | 7162-CHENP-2009-8(i)-Substitution-Change Of Applicant - Form 6 [24-09-2020(online)].pdf | 2020-09-24 |
| 42 | 7162-chenp-2009 correspondence others 07-12-2009.pdf | 2009-12-07 |
| 42 | 7162-CHENP-2009-PatentCertificate25-09-2020.pdf | 2020-09-25 |
| 43 | 7162-chenp-2009 description (complete) 07-12-2009.pdf | 2009-12-07 |
| 43 | 7162-CHENP-2009-Marked up Claims_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 44 | 7162-chenp-2009 drawings 07-12-2009.pdf | 2009-12-07 |
| 44 | 7162-CHENP-2009-IntimationOfGrant25-09-2020.pdf | 2020-09-25 |
| 45 | 7162-chenp-2009 form-1 07-12-2009.pdf | 2009-12-07 |
| 45 | 7162-CHENP-2009-Drawings_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 46 | 7162-CHENP-2009-Description_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 46 | 7162-chenp-2009 form-2 07-12-2009.pdf | 2009-12-07 |
| 47 | 7162-CHENP-2009-Claims_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 47 | 7162-chenp-2009 form-3 07-12-2009.pdf | 2009-12-07 |
| 48 | 7162-CHENP-2009-Abstract_Granted 347767_25-09-2020.pdf | 2020-09-25 |
| 48 | 7162-chenp-2009 form-5 07-12-2009.pdf | 2009-12-07 |
| 49 | 7162-CHENP-2009-PETITION u-r 6(6) [15-05-2021(online)].pdf | 2021-05-15 |
| 49 | 7162-chenp-2009 others 07-12-2009.pdf | 2009-12-07 |
| 50 | 7162-CHENP-2009-Covering Letter [15-05-2021(online)].pdf | 2021-05-15 |
| 50 | 7162-chenp-2009 pct 07-12-2009.pdf | 2009-12-07 |
| 51 | 7162-chenp-2009 pct search report 07-12-2009.pdf | 2009-12-07 |
| 51 | 7162-CHENP-2009-US(14)-ExtendedHearingNotice-(HearingDate-09-09-2020).pdf | 2021-10-03 |
Search Strategy
| 1 | 7162chenp2009_29-06-2017.pdf |