Abstract: A cryptographic session key is utilized to maintain security of a digital identity. The session key is valid only for a limited period of time. Additional security is provided via a bimodal credential allowing different levels of access to the digital identify. An identity token contains pertinent information associated with the digital identity. The identity token is encrypted utilizing public-key cryptography. An identifier utilized to verify the validity of the digital identity is encrypted with the cryptographic session key. The encrypted identity token and the encrypted identifier are provided to a service for example. The service decrypts the encrypted identity token utilizing public key cryptography, and decrypts, with the cryptographic session key obtained from the identity token, the encrypted identifier. If the identifier is determined to be valid, the transaction proceeds normally. If the identifier is determined to be invalid, the transaction is halted.

Abstract: A federated identity provisioning system includes relying parties, identity providers, and clients that obtain tokens from identity providers for access to a relying party's services. When a client contacts a new relying party, the relying party provides information that the client can independently resolve and evaluate for trustworthiness. For example, the relying party provides a generic domain name address. The client can then resolve the domain name address over various, authenticated steps to identity an endpoint for a digital identity provisioning service. The client can further interact with and authenticate the provisioning service (e.g., requiring digital signatures) to establish a trust relationship. Once determining that the client/user trusts the provisioning service, the client/user can then provide information to obtain a digital identity representation.

Abstract: Creating a token for use by an entity when digitally signing documents. In a computing environment, a digital identity representation for an entity is accessed. The digital identity representation includes information identifying identity attributes about the entity and capabilities of an identity provider that provides tokens for use by the entity. Context information is accessed. The context information includes information about one or more of which, how or where the attributes for the entity identified in the digital identity representation will be used. A security token is created from the information in the digital identity representation and the context information. The security token makes assertions by the identity provider. The assertions are based on the information in the digital identity representation. The token further includes information related to at least a portion of the context information.

Abstract: A federated identity verification system includes an identity provider that provides security tokens ultimately to one or more relying parties for access by the client to services at a relying party. Specifically, the relying party can validate the security token from an identity provider (whether directly or via a client) when verifying that the received security token conforms to security configuration data previously exchanged with the identity provider. To establish the trust relationship, the identity provider and one or more relying parties exchange security configuration information through an agreed-to communication channel. The security configuration information indicates the settings that the other party needs to use for establishing, maintaining, and/or monitoring the trust relationship. The communication channel allows both parties to flexibly and continually synchronize changes to security configurations, and thus maintain, change, or end the trust relationship automatically, as desired.

Abstract: A server provisions a client with digital identity representations such as information cards. A provisioning request to the server includes filtering parameters. The server assembles a provisioning response containing cards that satisfy the filtering parameters, and transmits the response to a client, possibly by way of a proxy. The provisioning response may include provisioning state information to help a server determine in subsequent exchanges which cards are already present on the client. A client may keep track the source of information cards and discard cards which a server has discarded. A proxy may make the provisioning request on behalf of a client, providing the server with the proxy's own authentication and with a copy of the request from the client to the proxy.

Abstract: Well-defined messages may be transmitted from a sending device to a recipient device in order to reduce the processing and resource requirements imposed by the security semantics of general message standards. The well-defined messages may include an expression of a collective intent of the security semantics included in the message. The expression of the security semantics within the message simplifies the discovery process for devices processing the message. The well-defined message may also require that any intermediary devices that process the well-defined message as it is transmitted from the sender device to the receiver device follow the expressed collective intent of the security semantics. If an intermediary device cannot understand or adhere to the expressed intent, the well-defined message must be rejected.

Abstract: Communication of a compressed message over a communication channel between message processors. The compressed message may be expressed in terms of an expressed or implicit template identification, and values of one or more parameters. Based on the template identification, the meaning of the one or more parameters may be understood, whereas the meaning of the parameter(s) may not be understood without a knowledge of the template. The template provides semantic context for the one or more parameters. The transmitting message processor may have compressed the message using the identified template. Alternatively or in addition, the receiving message processor may decompress the message using the identified template. The template itself need not be part of the compressed message as transmitted.

Abstract: Exemplary embodiments disclosed herein may include a method and system for providing information to a user and safely disclosing identity information over the Internet comprising receiving information from a server, analyzing the information, presenting the analyzed information to a user for validation in a finite number of configurations controlled by a client, and validating of the information by the user.

Abstract: In a semiconductor substrate, a shallow trench isolation structure having a dielectric material disposed in voids of a trench-fill material and a method for forming the shallow trench isolation structure. The voids may be formed during a wet clean process after the dielectric material is formed in the trench. A conformal silicon nitride layer is formed over the substrate and in the voids. After removal of the silicon nitride layer, the voids are at least partially filled by the silicon nitride material.

Abstract: A challenge mechanism in which a challenge is issued from one message processor to another. In generating the challenge, the message processor may select any one or more of a number of available interactive challenge types, where each type of challenge type might use different user-originated information. Upon receiving the challenge, the challengee message processor may identify the challenge type based on information provided in the challenge, and perform different actions depending on the challenge type. The challengee message processor then generates an appropriate challenge response, and issues that challenge response to the challenger message processor. The challenger message processor may then validate the challenge response.

Abstract: In a semiconductor substrate, a shallow trench isolation structure having a dielectric material disposed in voids of a trench-fill material and a method for forming the shallow trench isolation structure. The voids may be formed during a wet clean process after the dielectric material is formed in the trench. A conformal silicon nitride layer is formed over the substrate and in the voids. After removal of the silicon nitride layer, the voids are at least partially filled by the silicon nitride material.

Abstract: Described is a technology by which a resource selector traverses a hierarchical storage structure to enumerate its resources and provide a flat list of corresponding items. The user interacts with the flat list to select an item. The resource selector is particularly beneficial when incorporated into a handheld computing device. The resource selector may use a filtering criterion associated with an application program, e.g., the hierarchical storage may correspond to a file system, with the file extension (type) being the filtering criterion. A trigger coupled to the resource selector triggers the resource selector, in which the trigger may be incorporated into the application program, or may comprise an application-independent (e.g., operating system) component that knows which application program currently has focus and triggers the resource selector for that application.

Abstract: A method for forming BiCMOS integrated circuits and structures formed according to the method. After forming doped wells and gate stacks for the CMOS devices and collector and base regions for the bipolar junction transistor, an emitter layer is formed within an emitter window. A dielectric material layer is formed over the emitter layer and remains in place during etching of the emitter layer and removal of the etch mask. The dielectric material layer further remains in place during source/drain implant doping and activation of the implanted source/drain dopants. The dielectric material layer functions as a thermal barrier, to limit out-diffusion of the emitter dopants during the activation step.

Abstract: An identity system and method uses biometric representation(s) in identity tokens. When a principal requests access to a relying party, the relying party may request an identity token containing a first claim about the principal and a biometric representation of the principal. An identity provider may then create the identity token, including a digital signature. The relying party may receive the identity token through a first channel and decode it. The relying party may also receive and use biometric information about the principal received through a second channel to verify the validity of the first claim at least in part through comparison of the biometric representation to the biometric information.

Abstract: A method for forming BiCMOS integrated circuits and structures formed according to the method. After forming doped wells and gate stacks for the CMOS devices and collector and base regions for the bipolar junction transistor, an emitter layer is formed within an emitter window. A dielectric material layer is formed over the emitter layer and remains in place during etching of the emitter layer and removal of the etch mask. The dielectric material layer further remains in place during source/drain implant doping and activation of the implanted source/drain dopants. The dielectric material layer functions as a thermal barrier, to limit out-diffusion of the emitter dopants during the activation step.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. Various methods are provided for creating new DIRs, requesting DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. A system is provided using a common identity data store for both DIR issuance and identity token issuance, decreasing synchronization issues. Various methods are provided for creating new DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

Abstract: Obtaining tokens with alternate personally identifying information. A method may be practiced, for example, in a networked computing environment including a client and a token issuer. The token issuer provides security tokens to the client that the client can use for accessing functionality of services in the networked computing environment. The method includes sending a security token request to a token issuer. The security token request specifies alternate personally identifying information for an entity. The method further includes receiving a security token from the security token issuer. The security token includes the alternate personally identifying information.

Abstract: Shared Federation Metadata. A data structures may be implemented in a networked computing environment including federation. A federation includes two or more organizations coupled in a fashion such that authentication and authorization statements span the organizations in accordance with a pre-defined policy. A computer readable medium may include a data structure. The data structure includes fields including at least one or more grouping of metadata about a first federation or about an organization within the first federation. At least one of the one or more groupings of metadata about the first federation or about an organization within the first federation are included in the data structure by a reference to a block of federation metadata, the block of federation metadata is used for at least one other federation or organization.

Abstract: Requesting security tokens with typed information. A method includes accessing at a client, information to allow the client to request a token for accessing functionality of a service. The method further includes sending a client request from the client to a token issuer in a token request. The client request includes the information and at least one of information defining the source of the information, proof of the source of the information; or usage information specifying how the information should be used.