Method for managing and checking data from different identity domains organized into a structured set

摘要

The invention relates to a method and system for managing and checking different identity data relating to a person. According to the invention, a derived-identity management server generates for the person at least part of the identity data with which said person can be authenticated in relation to a service provider for the derived-identity domain, on the basis of information derived from identity data from parent domains. The identity data generation processing ensures that no link can be established from two authentications in two separate domains in the absence of link information. If necessary, said link information is transmitted by a parent domain to a derived-identity server so that the latter establishes the link between the identity data of the derived-identity domain and the identity data of the parent domain, e.g. for the cascade revocation of a person from various domains.

主权项

1. A method of management and control of different identity data of an individual, the different identity data corresponding to several identity domains organised into a structured set, wherein the identity data for at least one parent domain is necessary to generate identity data for a derived identity domain, the method comprising,
authenticating the individual for each parent domain starting from the identity data of the individual for the parent domain comprising a secret key and a revocation token for the parent domain identity data, said authentication being performed by a derived identity domain management server and comprising: receiving information dependent on the parent domain identity data, comprising an information obtained from the revocation token of the individual for the parent domain identity data, and at least one item of information as a proof of validity of said information dependent on the parent domain identity data, using the validity proof, verifying that the information dependent on the parent domain identity is valid, and authenticating the individual for the parent domain using said information dependent on the parent domain identity data, the derived identity domain management server generating, from the received information dependent on the parent domain, at least one identity data with which the individual can authenticate himself with a service provider for a derived identity domain, said identity data generation comprising generating, from the revocation token of the individual for the parent domain identity data, a derived identity secret key and a revocation token of the individual for the derived identity domain, and the derived identity domain management server storing derivation information containing at least one of the information exchanged during the authentication processing so that a link between identity data of the derived identity domain and identity data of the parent domain can be made later if required, according to link information transmitted by a parent domain, the generation processing of the identity data for the derived identity domain done by the different identity domain management servers being such that no parent domain identity data can be inferred from the derived domain identity data.