Abstract: A key exchange protocol can be performed between components of a system, such as between a computer program being executed by the processor of a PC (or other computer system) and a peripheral. A peripheral with a user input capability and a very limited display capability, such as a keyboard or a mouse, may be used to confirm a key exchange between the system components in a way that requires the user to enter only small amounts of input data (e.g., keystrokes or mouse clicks). Security between components may be enhanced without having a negative impact on usability of the system. Embodiments of the present invention help to deter “man in the middle” attacks wherein an attacker gains control of a system component situated between certain communicating system components.

Abstract: In one embodiment of the invention is a method to use authentication certificates to authorize peers to particular applications. In addition to using authentication certificates to authenticate the identity and trustworthiness of a peer, authentication certificates are additionally used to authorize peers to particular applications. A list of certificates is maintained in a Peer Authorized Certificate Store (PACS), where the certificates may comprise any combination of root certificates, intermediate certificates, and peer certificates. When an authentication certificate is received from a peer, the peer is authenticated using the authentication certificate; and authorized by checking the authentication certificate against a Peer Authorized Certificate Store (PACS).

Abstract: Systems for providing an authentication service through a number of authentication mechanisms associated with each user. Lists of the authentication mechanisms associated with each user are stored in a set of portfolios, one portfolio for each user. Authentication mechanisms include laptops, PCs, biometric input devices, smart card readers, proximity badge readers, magnetic stripe readers, and the like. The systems have various configurations of registration servers, authentication servers, and authorization servers. Methods for providing an authentication service include relating a user identity to a portfolio, relating a type of transaction to a level of authentication, and authenticating the user identity through one or more authentication mechanisms for the type of transaction, according to the level of authentication required.

Abstract: A method for controlling access to user information is presented. A user requests a service from a relying party. The relying party makes a request for user information. The user approves or rejects the request for user information. The verification service sends a response to the relying party. As such, the user may selectively control what information is released to, and acquired by, the relying party.

Abstract: A second digital credential that includes a first digital credential and a digital signature is received, and the validity of the second digital credential is determined. A determination is made whether the first digital credential is valid based on the validity of the second digital credential.

Abstract: Secured information is stored on a server accessible to a network. A first access component that is required to permit use of the secured information is distributed to a delegate. In the absence of a second access component, the first access component is not sufficient to permit use of the secured information. The second access component can be stored on the server or stored with a third party for distribution to the delegate.

Abstract: The system includes receiving, from a delegator, a designation of a role and a delegate to assume the role, receiving, from a credential service provider, an indication that the designation is valid, issuing a delegation credential in response to receiving the indication, and issuing a confirmation to the delegator, which indicates that the delegation credential was issued.