| 摘要 |
The invention relates to an electronic transaction method using an ID token (106) that is associated with a user (102), wherein the ID token has an electronic memory (118) with a protected memory area (124) that stores one or more attributes, wherein access to the protected memory area is possible only via a processor (128) of the ID token, and wherein the ID token has a communication interface (108) for communication with a reader of a user computer system (100), having the following steps: set-up of a first session (201) between an application program (112), particularly an Internet browser of the user computer system, and a service computer system (150) via a network (116), – reception of a transaction request (158) concerning the first session from the application program (112) by the service computer system, – production of a request (166) by the service computer system on the basis of the reception of the transaction request, the request being signed by the service computer system and the request containing attribute specification, for the attributes that are to be read from the ID token for performing the transaction, transaction data for specifying the transaction, an identifier (180) of the request, a URL of an ID provider computer system and a URL of the service computer system, – transmission of a web page (160) and of the request concerning the first session from the service computer system to the user computer system, the web page having an input field (162) for the input of supplementary information (168) for performing the transaction, – display of the web page by the application program and input of the supplementary information into the input field by the user, – set-up of a second session (202) between the application program (112) and the ID provider computer system via the network using the URL of the ID provider computer system, the second session being set up with a secure transport layer, – forwarding of the request and of the supplementary information from the application program to the ID provider computer system via the second session, – on the basis of reception of the request, production of a session ID for a third session (203) by the ID provider computer system and storage of the request and of the supplementary information by the ID provider computer system, – transmission of a message from the ID provider computer system to the application program (112) with the session ID of the third session and a logical address, particularly a URL, via the second session, – set-up of the third session between a program (113) of the user computer system and the ID provider computer system via the secure transport layer of the second session, the program being able to be different from the application program (112), – transmission of at least one certificate (144) from the ID provider computer system to the program (113), the certificate containing a statement of reading rights for the ID provider computer system to read one or more of the attributes stored in the ID token, with the certificate being transmitted via the third session, – checking by the program (113) to determine whether the reading rights indicated on the certificate are sufficient to permit read access by the ID provider computer system to the attribute(s) to be read on the basis of the attribute specification, – production of a response (174) that contains the read attribute(s) and at least the identifier (180) of the request, and that is signed by the ID provider computer system, – storage of the response for retrieval using the logical address, – reading of the response from the ID provider computer system by the user computer system by retrieving the response from the logical address via the network by means of a read command , – forwarding of the response to the service computer system by the user computer system via the first session, – association of the response with the request by the service computer system using the identifier that the response contains, – performance of the transaction by the ID provider computer system using the response. |
