| 摘要 |
A method for reading at least one attribute stored in an ID token using first, second and third computer systems, wherein the third computer system comprises a browser and a client, and wherein a service certificate is assigned to the second computer system, wherein the service certificate comprises an identifier which is used to identify the second computer system, wherein the ID token is assigned to a user, a first cryptographically protected connection (TLS1) is set up between the browser of the third computer system and the second computer system, wherein the third computer system receives a first certificate, the first certificate is stored by the third computer system, the third computer system receives a signed attribute specification via the first connection, a second cryptographically protected connection (TLS2) is set up between the browser of the third computer system and the first computer system, wherein the third computer system receives a second certificate, the signed attribute specification is forwarded from the third computer system to the first computer system via the second connection, the first computer system accesses an authorization certificate, wherein the authorization certificate comprises the identifier, a third cryptographically protected connection (TLS3) is set up between the first computer system and the client of the third computer system, wherein the third computer system receives the authorization certificate containing the identifier via the third connection, the client of the third computer system checks whether the first certificate comprises the identifier as proof of the fact that the first certificate matches the service certificate, the user is authenticated with respect to the ID token, the first computer system is authenticated with respect to the ID token, a fourth cryptographically protected connection with end-to-end encryption is set up between the ID token and the first computer system, after the user and the first computer system have been successfully authenticated with respect to the ID token, the first computer system has read access to the at least one attribute stored in the ID token via the fourth connection in order to read the one or more attributes specified in the attribute specification from the ID token,—the first computer system transmits the at least one attribute to the second computer system after said attribute has been signed. |
| 主权项 |
1. A method for reading at least one attribute stored in an ID token using first, second and third computer systems, the third computer system comprising a browser and a client, and a service certificate being assigned to the second computer system, the service certificate containing an identifier which identifies the second computer system, the ID token being assigned to a user, comprising:
establishing a first cryptographically protected connection between the browser of the third computer system and the second computer system, wherein the third computer system receives a first certificate; the third computer system storing the first certificate; the third computer system receiving a signed attribute specification via the first connection; establishing a second cryptographically protected connection between the browser of the third computer system and the first computer system, wherein the third computer system receives a second certificate; the third computer system forwarding the signed attribute specification via the second connection to the first computer system; the first computer system accessing an authorization certificate, wherein the authorization certificate contains the identifier; establishing a third cryptographically protected connection between the first computer system and the client of the third computer system, wherein the third computer system receives the authorization certificate containing the identifier via the third connection; the client checking the third computer system as to whether the identifier is present in the first certificate as proof that the first certificate matches the service certificate; the user authenticating himself with respect to the ID token; the first computer system authenticating itself with respect to the ID token; establishing a fourth cryptographically protected connection between the ID token and the first computer system with end-to-end encryption; after successful authentication of the user and of the first computer system with respect to the ID token, the first computer system receiving read access to the at least one attribute stored in the ID token via the fourth connection so as to read the one or more attributes specified in the attribute specification from the ID token; the first computer system transmitting the at least one attribute to the third computer system after the attribute has been signed; and the third computer system transmitting the at least one signed attribute to the second computer system, where the at least one signed attribute is transmitted to the second computer system without use of any direct connection between the first computer and the second computer. |
