Abstract: Method for providing user-to-user delegation service in federated identity environment, characterized in that it comprises a delegation or assignment step wherein a delegator specifies said delegation at an identity provider for delegating a privilege or task to a delegatee to be performed at a service provider.

Abstract: The invention relates to a portable authentication token comprising connection means for connecting to a computer, browser communication means for communicating with a browser running on the computer, and user authentication means for authenticating a user of the token to a server. The user authentication means are triggered via the browser communication means when the user connects to the server from the browser of the computer. The user authentication means are set to authenticate the user by communicating with the server through the browser. The token comprises out-of-band token communication means set to validate user authentication by establishing a communication channel between the token and the server, the communication channel bypassing the browser. The invention also relates to an authentication method and to a system comprising a token, a computer and a server to which the user authenticates with the token.

Abstract: A system, method and computer-readable storage medium with instructions for operating a digital signature server and a portable security device to cooperate to provide digital signature services using a private key stored on the portable security device by delegating to a user's smart card the actual task of digitally signing documents. Other systems and methods are disclosed.

Abstract: A method of operating a host computer having a web-browser with the capability of executing at least one web-browser add-on to provide a web application access to a smart card to protect the smart card from security threats associated with being connected to the Internet. Prior to establishing a connection between a web application executing in the web browser, verifying that the web application has been authorized to connect to a smart care using the web-browser add-on to provide a web application access to a smart card.

Abstract: A system and a method for operating a device that is not capable of independently maintaining a local time clock to enforce a time-based transaction policy that requires a reliable time reference. The device establishes a secure communications channel to one or more network-attached time sources and inquires of each of the network-attached time-sources as to the current time using the secure communications channel. The device receives the current time from the network-attached time-sources and uses the received current times to estimate a current calendar time and to compute a reliability index associated with the estimated current calendar time. The device uses the estimated current calendar time and reliability index to enforce the time-based transaction policy.

Abstract: The invention relates to a portable authentication token comprising connection means for connecting to a computer, browser communication means for communicating with a browser running on the computer, and user authentication means for authenticating a user of the token to a server. The user authentication means are triggered via the browser communication means when the user connects to the server from the browser of the computer. The user authentication means are set to authenticate the user by communicating with the server through the browser. The token comprises out-of-band token communication means set to validate user authentication by establishing a communication channel between the token and the server, the communication channel bypassing the browser. The invention also relates to an authentication method and to a system comprising a token, a computer and a server to which the user authenticates with the token.

Abstract: A client-side application extension executable on a host computer from within a web-browser having the capability of executing at least one web-browser add-on to provide a user access to a smart card, connected to the host computer having a smart card resource manager, via the web-browser. The web-browser extension has instructions to direct the central processing unit to access data on the smart card via a web-browser and platform independent interface module and a web-browser and platform dependent wrapper module connected to the web-browser and platform independent interface module and to the smart card resource manager having a function processing module operable to receive a call to the at least one function for accessing data on the smart card and for transforming the function call into a corresponding call to the smart card resource manager.

Abstract: A system and method for establishing uniqueness in type definition names. Each application vendor has associated therewith a unique data sequence. The data sequence is combined with the type definition name and then a digital operation is performed to produce a unique digital identifier that is used in place of the type name.

Abstract: Updating the access control of a smart card at multiple points of the smart card life cycle. The system and method for updating the access control mechanisms during the smart card life cycle includes implementing an interface having a method for providing access control and a method for registering an access manager as an active access manager. In response to a request to register an access manager, the system and method executes the method for determining whether registering the access manager may be allowed.

Abstract: Secure authentication of a user on a host computer to a web server including a security device acquiring trust or a security context from the web server. The security device is operable of providing an X.509 certificate to a browser plug-in on the host computer. The browser plug-in on the host computer performing authentication of the security device and in response providing user credentials to the security device. The security device performing authentication of the user and requests a security context from the web server. In response, the web server provides a security context to the security device. The security device delegates the web server trust by transmitting the context to the host computer and enabling the user to securely access resources on the web server.

Abstract: A client-side application extension executable on a host computer from within a web-browser having the capability of executing at least one web-browser add-on to provide a user access to a smart card, connected to the host computer having a smart card resource manager, via the web-browser. The web-browser extension has instructions to direct the central processing unit to access data on the smart card via a web-browser and platform independent interface module and a web-browser and platform dependent wrapper module connected to the web-browser and platform independent interface module and to the smart card resource manager having a function processing module operable to receive a call to the at least one function for accessing data on the smart card and for transforming the function call into a corresponding call to the smart card resource manager.

Abstract: A consent service on a host computer providing cryptographically signed consent for user attributes by a user on a host computer to a web service provider. The consent service is operable to provide decryption of the user attributes acquired by the web service provider from an identity provider. The consent service displaying and acquiring user consent to one or more user attributes displayed in a browser web page to the user on the host computer. The consent service is operable to provide encryption of the user consented attributes and to generate cryptographically signed consent of the user. The consent service conveying and transmitting the user consented attribute and cryptographically signed user consent to the web service provider. The web service provider is operable to provide decryption of the user consented attributes and storing the user consented attributes and signed user consent.

Abstract: A system and a method for operating a device that is not capable of independently maintaining a local time clock to enforce a time-based transaction policy that requires a reliable time reference. The device establishes a secure communications channel to one or more network-attached time sources and inquires of each of the network-attached time-sources as to the current time using the secure communications channel. The device receives the current time from the network-attached time-sources and uses the received current times to estimate a current calendar time and to compute a reliability index associated with the estimated current calendar time. The device uses the estimated current calendar time and reliability index to enforce the time-based transaction policy.

Abstract: Secure authentication of a user on a host computer to a web server including a security device acquiring trust or a security context from the web server. The security device is operable of providing an X.509 certificate to a browser plug-in on the host computer. The browser plug-in on the host computer performing authentication of the security device and in response providing user credentials to the security device. The security device performing authentication of the user and requests a security context from the web server. In response, the web server provides a security context to the security device. The security device delegates the web server trust by transmitting the context to the host computer and enabling the user to securely access resources on the web server.

Abstract: A system and method for establishing uniqueness in type definition names. Each application vendor has associated therewith a unique data sequence. The data sequence is combined with the type definition name and then a digital operation is performed to produce a unique digital identifier that is used in place of the type name.

Abstract: Updating the access control of a smart card at multiple points of the smart card life cycle. The system and method for updating the access control mechanisms during the smart card life cycle includes implementing an interface having a method for providing access control and a method for registering an access manager as an active access manager. In response to a request to register an access manager, the system and method executes the method for determining whether registering the access manager may be allowed.

Abstract: Providing application programs the right to access a data item while preventing security breaches, allowing applications and data to be independently updated, and allowing multiple applications to share the data item. Each application program has associated therewith a first public key and each data file has associated therewith a second public key. If these public keys match for a particular application program and data file, the application program is granted access to the data file.

Abstract: Protecting an application of a multi-application smart card against unauthorized manipulations. A system and method for guarding against unauthorized modifications includes partitioning the application into a plurality of basic blocks. Basic blocks are programming atomic units that have one entry point and one exit point and comprises a set of data units. For each basic block a check value associated with a basic block is computed wherein the check value is a function of the data units of the basic block. This check value is some how remembered and later recalled and checked either during execution of the corresponding basic block of the application program or prior to execution of the application program. During or prior to execution of the basic block the re-computed check value is verified to be the same as the remembered check value. If not, an error condition is indicated and a corrective action may be taken.