Abstract: The subject disclosure is directed towards credential verification for accessing a service provider. A user may prove to the service provider the validity of the credential by communicating a non-revocation component that is based upon a prime-order cryptographic group without a bilinear pairing. In order to authenticate the user, a verification mechanism within an identity management system applies private cryptographic data, including a verifier-designated private key to the non-revocation component, which proves that the user's identity and therefore, the credential is not revoked. The presentation proof includes a hash value that is computed using the credential's commitment and the prime-order cryptographic group. By verifying that the hash value was computed using that commitment, the verification mechanism validates the credential and permits access to the service provider.

Abstract: Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

Abstract: Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

Abstract: A privacy-preserving identity system is described herein that combines low disclosure tokens with an identity metasystem to allow proof of a user's identity and other claims about the user in a manner that preserves the user's privacy by avoiding disclosing unnecessary information about the user. A low or minimal disclosure token is a security token that encodes claims in such a way that (1) the token can be long-lived, (2) the token can be presented in an unlinkable manner, or (3) the user can minimally disclose the encoded information to respond to an unanticipated Relying Party policy. Using the privacy preserving system within an identity metasystem, users can obtain long-lived, low disclosure tokens from the Identity Provider and later present them to Relying Parties; thus improving both users' privacy and the system's scalability.

Abstract: Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

Abstract: The claimed subject matter provides a system and method for enabling paid-for exchange of identity attributes with minimal disclosure credentials. An exemplary method includes requesting a credential from an identity provider by one of a user or a credential agent. The credential may be presented to a relying party, and the presented credential may be verified. Based on verification of the presented credential, a service of the relying party may be accessed by the user. The user, the relying party, a neutral third party, or the credential agent may provide payment for the credential to the identity provider, and the identity provider is unable to determine whether, where, when or by whom the credential has been used.

Abstract: One embodiment of the invention relates to a system for providing a support function in maintaining a computing system. The system includes a computer-implemented interface configured to receive a support user identification and a system user identification. The system also includes a support user implementation engine configured to set a support mode based on the support user identification and to log the support user into the computing system based on the system user identification. The system also includes one or more applications implemented by the computing system configured to perform one or more functions on the computing system in accordance with the system user identification and the support user identification.

Abstract: Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

Abstract: A privacy-preserving identity system is described herein that combines low disclosure tokens with an identity metasystem to allow proof of a user's identity and other claims about the user in a manner that preserves the user's privacy by avoiding disclosing unnecessary information about the user. A low or minimal disclosure token is a security token that encodes claims in such a way that (1) the token can be long-lived, (2) the token can be presented in an unlinkable manner, or (3) the user can minimally disclose the encoded information to respond to an unanticipated Relying Party policy. Using the privacy preserving system within an identity metasystem, users can obtain long-lived, low disclosure tokens from the Identity Provider and later present them to Relying Parties; thus improving both user' privacy and the system's scalability.

Abstract: One embodiment of the invention relates to a system for providing a support function in maintaining a computing system. The system includes a computer-implemented interface configured to receive a support user identification and a system user identification. The system also includes a support user implementation engine configured to set a support mode based on the support user identification and to log the support user into the computing system based on the system user identification. The system also includes one or more applications implemented by the computing system configured to perform one or more functions on the computing system in accordance with the system user identification and the support user identification.