CN1389836A - Identity confirming method and citizen archive system - Google Patents
Identity confirming method and citizen archive system Download PDFInfo
- Publication number
- CN1389836A CN1389836A CN 01121335 CN01121335A CN1389836A CN 1389836 A CN1389836 A CN 1389836A CN 01121335 CN01121335 CN 01121335 CN 01121335 A CN01121335 A CN 01121335A CN 1389836 A CN1389836 A CN 1389836A
- Authority
- CN
- China
- Prior art keywords
- authentication
- citizen
- licensee
- word
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the method for authenticating the identification and the system of the citizen archives. The certification authority stores and manages information of the licensee. The licenser submits the identification code and the authenticating word on-line. The certification authority accepts the replying authentication automatically. The information of the licensee is divided into multiple information units accessible logically. The licensee can manage and control the authenticating word as well as selects the bonding information units. The web site or the telephone information service station or the combination of the both can realize the system. The typical application is the citizen electric archieves system based on the domicile record.
Description
The invention belongs to computer network communication, information security, and population management's technical field.
Authentication of the present invention is meant legitimacy, authenticity and the validity of confirming citizenship, comprises the implication of citizenship being inquired about, examines, checks, verifies, confirmed all kinds of statement.In social life, people because of the transaction or other activities often need authenticating identity.Finland carries out electronic ID card and sets up on national network identification system (" Reference News " on March 27th, 2000 the 7th edition) is an effective method, can discern citizen's identity reliably.But authentication need disclose more a plurality of people's information toward contact, only also fails to accomplish neatly this point with electronic ID card.Because personal information relates to citizen's privacy, so various citizen's archives economy generally all relatively seals scheming safety, even Lian Gongmin can not consult easily.For allowing citizen oneself to consult, existing way is to unique password of citizen and can oneself be revised by it, when it need can only inform others by the password that it is unique, so its password just has by the risk of distorting and losing when others discloses own personal information.Forget the remedial measures that password prompt recovers though have, eventually inconvenience.And its unique password meaning is being made full powers, and personal information will be completely exposed.In fact, the purpose of existing citizen's archives economy and effect are not open to individual citizens mostly, citizen can not draw oneself up effectively open object, publicity pattern and the extent of disclosure of personal information.Existing technical method and system are to the management of citizen's archives, or too cautious sealing, or simple all open, can not resolve this dual problem of safekeeping of the open and individual privacy of necessity of individual citizens information rightly.
Purpose of the present invention is to propose a kind of identity identifying method, can take into account the safekeeping of the open and citizen's privacy of necessity of citizen's information, and then constructs a kind of opening, citizen's archives economy efficiently.Whether basic ideas of the present invention are that the implementation self-determination is limited open, promptly allow citizen oneself decision open, open to whom, and disclose its personal information on which kind of degree.
Set up a reliable certification authority,, openly provide the authentication service by computer communication network by the storage administration citizen of this certification authority information.The mode of storage administration can be that directly promptly citizen's information just is stored in the server of certification authority; Also can be indirect, promptly citizen's information stores and be connected effective data channel between this management organization and certification authority in the server of other management organization.The process of authentication is, solves people's (being the people of request authentication) and submits licensee's's (being certified people) identity code and authentication word to by networking, and certification authority accepts authentication request automatically, check authentication word, and retrieval licensee's information is also made authentication and is replied.Described identity code is the coding of citizen's tool uniqueness in certain region (as a country), as citizen ID certificate numbering, Social Security Number; Also can be organizational structure's coding and the assembly coding of citizen in this organizational structure's internal number.Described authentication word generally includes account number (being user name) and password, and its simple case is to have only password.The formation of account number and password all is the coding of character usually, the data representation of body surface feature that password also can be by gathering the people such as fingerprint, palmmprint it.
Whether one aspect of the present invention feature is to take to decide by oneself the disclosed mode of permission, promptly open by the autonomous decision of citizen, and who is disclosed its personal information.Open in order to realize deciding by oneself permission, allow the citizen to define multiple (promptly more than two) authentication word, and manage independently its authentication word of control by the citizen.Described authentication word and citizenship code close association, and work corresponding to specific identity code.According to the different of the generation use-pattern of authentication word and to the difference of citizen's Information Access authority, will authenticate word and be divided into four classes:
First kind authentication word is provided original definition by certification authority, and is related with licensee's identity code effective, gives the licensee and holds and manage independently control.Such authentication word has such authority especially, i.e. definition generates new authentication word, changes or cancel old (promptly original) authentication word.Such authentication word can also attach has the authority of consulting my information.The original definition of such authentication word also can provide by licensee oneself or by the organizational structure that the licensee served, and then admitted by certification authority and affirmation, but the licensee holds and manages independently control the most after all.
Second class authenticates word, and by its first kind of holding authentication word, autonomous definition generates, and is related with licensee's identity code effective by the licensee.Such authentication word has the authority of my information of inquiry.The licensee authorizes such authentication word and solves the people, solves people so and the right of this licensee's information of inquiry that secures permission.The licensee is by change or cancel the authentication word of authorizing other people, just can regain original permission, stops other people to use original authentication word to continue this licensee's of inquiry information.Such authentication word can also have an attribute, the term of validity of authentication authorization and accounting word.The licensee is the predetermined term of validity in such authentication word of definition, thereby time interval or the cumulative number that the people can inquire about this licensee's information solved in restriction.
The 3rd class authentication word, irrelevant by certification authority's definition with licensee's identity code, have the authority of inquiring about licensee's information.Such authentication word is not subjected to licensee control, directly authorizes its trusted mechanism by certification authority, enables to carry out authentication single or batch, and permission that need not the licensee.
The 4th class authentication word by certification authority's definition, has the authority of interpolation, modification and deletion licensee partial information content.The licensee do not authorized in such authentication word, do not authorize the general people that solves, to prevent that citizen's information from being distorted yet.Certification authority's permission according to law perhaps according to the agreement of reaching especially, is just authorized the third-party institution with such authentication word especially.For example, certification authority can authorize such authentication word to law court, deposits in this citizen's the archives so that law court can will be referred to specific citizen's lawsuit judgement.Again for example, certification authority can authorize such authentication word to the school or the inaugural mechanism of citizen's registration, so that such school or mechanism can add its student's academic information or its office worker's occupational information.
In the above-mentioned four classes authentication word, first and second class authentication word is basic, and is all relevant with citizen's identity code, and by citizen's autonomous management control.The citizen obtains disclosed right and ability are permitted in the self-determination of its personal information therefrom.
Another aspect of the present invention feature, be to take the disclosed mode of Finite control, promptly independently determine on which kind of degree, to disclose its personal information by the citizen, that is, some content of its personal information is disclosed by the autonomous decision of citizen, perhaps of equal valuely, by autonomous some content that determines hidden its personal information of citizen.Yet in order to guarantee necessary open and disclosed fairness, certification authority can stipulate that some partial content of citizen's information must not conceal when open.Open in order to realize Finite control, at first with the complete structure of citizen's information from being divided into the message unit of a plurality of controlled accesses in logic, secondly, allow when definition authentication word, to select binding to need disclosed message unit or unit group.Then, follow three criterions:
One, certification authority has the right to determine the message unit of some message units for the acquiescence binding, these message units will be bound automatically when the definition of authentication word.
Its two, the message unit of authentication word binding will be shown in authentication is replied.
Its three, the message unit do not bound of authentication word will be by hidden in authentication is replied.
Deciding by oneself permission and openly combine with Finite control is disclosed, promptly decide by oneself limited publicity pattern, is global feature of the present invention.During practical operation, can work out open scheme in advance, specifically bind some message units, and with a title or coded representation it.A plurality of open schemes can be arranged, when definition authentication word, only need choose the combination of one of them scheme or a plurality of schemes neatly, promptly reach effect authentication word and message unit binding.
Consider the popularity and the networking of authentication service, certification authority can directly accept the batch authentication request of other trusted mechanisms automatically, and permission that need not the licensee.In order to guarantee the fairness of citizen's information, forbid that the citizen changes its essential information.But the organizational structure of special permission should add, revises and delete specific citizen's partial information.By above-mentioned Classification Management, promptly can accomplish this point to the authentication word.In authentication was replied, can also show the licensee will be to solving the additional information that the people passes on, and this additional information is clear and definite in advance given by the licensee.
In view of the citizen is relevant with organizational structure usually, such as in the employment for hire of certain company, can with the organizational structure unit, submit to or affirmation licensee information to certification authority, and entrust certification authority that authentication service is provided.In the case, authenticate used identity code and can be different from citizen ID certificate numbering or Social Security Number, and can be organizational structure's coding and the assembly coding of citizen in this organizational structure's internal number.
Implementation of the present invention can be to set up internet site, also can be by the phone information service center, this dual mode can also be combined, thereby the authentication service openly is provided.Because of such service, certification authority can collect the charges to citizen who entrusts authentication or organizational structure.
According to said method of the present invention, can set up a kind of citizen's archives economy, promptly a kind of citizen's electronic archive system.The information content of this system is recorded as the basis with citizenship, is key word with the citizenship code, can also comprise citizen's placement file and behavior judge (comprise and estimating and judgement) record.The present invention is for the population order of setting up justice and high efficiency and improve social credibility and can produce actual effect and profound influence.
The present invention as shown in the figure.The storage administration licensee of certification authority (10) information (citizen's information) is authorized licensee (20) first kind authentication word (11).Licensee (20) relies on first kind authentication word (11), directly to the new authentication of certification authority's definition word (21), can also define one's own additional information (22).Described new authentication word (21) can be the modification to first kind authentication word, especially comprises new second class authentication word, and is licensee's range of information of the related binding of second class authentication word.Licensee (20) is with its definition and sent into second class authentication word (23) that certification authority (10) retains, independently authorizes and solves people (30).Solve identity code (31) and the authentication word (32) of people (30) with the licensee (20) that obtained, submit the identity of certification authority (10) to this licensee of request authentication, certification authority (10) is then checked and is retrieved, and makes authentication answer (13) to solving people (30) then.Reply in (13) in authentication, it is invalid to point out for invalid identity code (31) or invalid authentication word (32); Otherwise, then show by licensee (20) and limited, promptly the licensee's information in the related binding ranges of second class authentication word (23) wherein can comprise the predefined additional information of licensee (22).Solve the authentication word (32) that people (30) obtains and submit to, second class of being authorized with licensee (20) authenticates word (23) equivalence.Licensee (20) can be momentarily, directly revise or cancel it to certification authority (10) authorizes second class authentication of solving people (30) word (23), thereby the withdrawal license stops and solves the authentication word (32) that people (30) continuation is used even the diffusion use is obtained.Certification authority (10) authorizes the 3rd class authentication word (12) to the trust authority (40) of its affirmation, enable directly to submit to licensee's (20) identity code (41) request authentication to certification authority (10), and permission that need not licensee (20), certification authority (10) finishes retrieval automatically and makes authentication to trust authority (40) and reply (14).Certification authority (10) authorizes the 4th class authentication word (15) to special permission mechanism (50), and special permission mechanism (50) is so can directly add, revise or deletion licensee's information (51) to certification authority (10), permission that also need not licensee (20).Licensee's information is divided into the message unit of a plurality of controlled accesses on logical organization, the authentication word is selected some message unit of binding in when definition, and the authentication of finishing is replied the message unit content that will show binding and the hidden not message unit content of binding.
Realize a kind of best way of the present invention.Set up a certification authority, www server of internal configurations is by DDN access via telephone line internet.Register a domain name (for example eWho.net.cn), on server, set up an authentication website (for example www.eWho.net.cn), the authentication service openly is provided.Link to each other with database server in residence management department (as the public security bureau) internal lan in addition with an ISDN communication line.Citizen's archive database system is a distributed system: the storage administration citizen's of residence management department basic data, the storage administration citizen's of certification authority growth data and the definition of authentication word.Basic data is the household register data, is the household register record that is encoded to key word with citizen ID certificate, comprises I.D. numbering, name, sex, date of birth, nationality, schooling, home address, marital status.Growth data comprises citizen's school work, the record of career front, and the record that its resume and behavior are passed judgment on.Record is passed judgment in behavior, pressed note type-word section by the pen storage.Certification authority generates an initial authentication word for each citizen in its file store, i.e. first kind authentication word.The authentication word structurally is defined as combining of account and password, defines the message unit of access right classification and binding on attribute.With each field of citizen's file data interrecord structure respectively as message unit.Authentication website software is realized required management function through programming.Reading with the first kind to enter the empowerment management function, generates new authentication word, i.e. second class authentication word.The treatment scheme of authentication function is that when receiving authentication request, at first check authenticates the validity of word, if the invalid then simple prompting error message of replying; If the effectively then instant database server that connects residence management department of connecting extracts the basic data of being demonstrate,proved the citizen, together with the respective extension data of our station, according to the definition of authentication word, filter out the message unit content of being bound, tabulation constitutes the authentication return information then, feeds back to and solves people's reading.Privileged accounts and password are offered in the realization of also programming of authentication website software, i.e. law court and organizational structure that the citizen obtained employment authorized respectively in the 4th class authentication word, and enabling increases, revises and deletion is passed judgment on record to citizen's behavior citizen's archives.The phone information service center that certification authority will reach cooperation agreement is considered as trusted mechanism, authorizes the 3rd class to it and authenticates word, and the authentication website software programming realizes, directly accepts the authentication request of trusted mechanism submission automatically and makes the authentication answer.Portion's net configuration within it acting server in phone information service center inserts the internet through ISDN, and opens a service and number be specifically designed to the authentication service.Programming realizes authentication proxy's program, its function is that the phone ID authentication request with the audio communication service routine is accepted is converted to the website ID authentication request, be sent to authentication website through acting server, and accept to return the audio communication service routine of feeding from the authentication answer of authentication website.With this authentication proxy's program installation and operation on the in-house network of phone information service center, thus data sharing and service collaboration between realization phone information service center and the certification authority.
Realize another kind of simplified way of the present invention.Serve as certification authority voluntarily by organizational structure (for example company), on its website, increase a service function, provide post to authenticate its office worker to the public.Office worker's information comprises that the office worker numbers, I.D. numbering, name, sex, date of birth, schooling, photo, tenure department, academic title, position, scope of offical duty, tenure state and remarks explanation.Organizational structure's storage and uniform is managed its office worker's information, and the office worker decides by oneself limited its post information that discloses.
Claims (24)
1. identity identifying method, be at computing machine and communications network system environment, also openly provide networking authentication service by the storage administration licensee of certification authority information, solve identity code and authentication word request authentication that the people submits the licensee to, certification authority accepts and makes authentication automatically and replys, described identity identifying method is characterised in that, described licensee's information is divided into the message unit of a plurality of controlled accesses in logic, decide by oneself limited open by the licensee, the binding information unit selected in described authentication word when definition, reply the message unit that will show this authentication word binding and the message unit that hidden this authentication word is not bound corresponding to the authentication that an authentication word is finished, described authentication word comprises
Original definition is admitted or provided to first kind authentication word by certification authority, and is related with licensee's identity code effective, returns licensee oneself to hold, and has definition and generates new authentication word, revises and cancel the authority of old authentication word; With
Second class authentication word is independently defined, authorizes and cancelled by the licensee, and is related with licensee's identity code effective, has the authority of inquiry licensee information.
2. according to the method for claim 1, it is characterized in that described authentication word also comprises
The 3rd class authentication word, irrelevant and not controlled by the licensee by certification authority's definition with licensee's identity code, authorize trust authority, have the authority of inquiry licensee information.
3. according to the method for claim 1, it is characterized in that described authentication word also comprises
The 4th class authentication word by certification authority's definition, is not controlled by the licensee, franchising mechanism, the authority of have interpolation, revising and deleting licensee's partial information location contents.
4. according to the method for claim 1, it is characterized in that described licensee's information comprises licensee's placement file and to the judge record of licensee's behavior.
5. according to the method for claim 1, it is characterized in that described licensee's information is confirmed by the organizational structure relevant with the licensee or submitted to, and entrusts certification authority's administrative authentication.
6. according to the method for claim 1, it is characterized in that described licensee's information has at least a message unit clearly to be given tacit consent to binding and do not authenticated the restriction that word defines by certification authority.
7. according to the method for claim 1, it is characterized in that the formation of described identity code comprises institutional coding and the numbering of licensee in this organizational structure.
8. according to the method for claim 1, it is characterized in that described authentication word definable valid period.
9. according to the method for claim 1, it is characterized in that the information that comprises that also the licensee is additional is in advance replied in described authentication.
10. according to the method for claim 1, it is characterized in that described authentication service provides in the mode of internet site.
11. the method according to claim 1 is characterized in that, described authentication service provides in the mode of phone information service center.
12. the method according to claim 1 is characterized in that, described authentication service provides with the mode that the phone information service center combines with internet site.
13. citizen's archives economy, be at computing machine and communications network system environment, set up based on identity record by certification authority, with the identity code is citizen's archive database system of key word, networking authentication service openly is provided, solve the people is demonstrate,proved the citizen by submission identity code and authentication word request authentication, certification authority accepts and makes authentication automatically and replys, described citizen's archives economy is characterised in that, described citizen's archives are divided into the message unit of a plurality of controlled accesses in logic, decide by oneself limited open by the citizen, the binding information unit selected in described authentication word when definition, reply the message unit that will show this authentication word binding and the message unit that hidden this authentication word is not bound corresponding to the authentication that an authentication word is finished, described authentication word comprises
Original definition is admitted or provided to first kind authentication word by certification authority, and related with the identity code of being demonstrate,proved the citizen effectively the people oneself of making a public possession hold, and has definition and generate new authentication word, revise and cancel the authority of old authentication word; With
Second class authentication word is independently defined, authorizes and cancelled by the citizen, and is related with the identity code of being demonstrate,proved the citizen effective, has the authority of citizen's archives of the corresponding identity code of inquiry.
14. the system according to claim 13 is characterized in that, described authentication word also comprises
The 3rd class authentication word, irrelevant and do not demonstrate,proved the citizen and control by certification authority's definition with citizen's identity code, authorize trust authority, have the authority of inquiry citizen archives.
15. the system according to claim 13 is characterized in that, described authentication word also comprises
The 4th class authentication word by certification authority's definition, is not controlled by the citizen, franchising mechanism, the authority that has interpolation, revises and delete citizen's archives partial information location contents.
16. the system according to claim 13 is characterized in that, described citizen's archives comprise citizen's placement file and to the judge record of citizen's behavior.
17. the system according to claim 13 is characterized in that, described citizen's archives are confirmed by the organizational structure relevant with the citizen or are submitted to, and entrust certification authority's administrative authentication.
18. the system according to claim 13 is characterized in that, described citizen's archives have at least a message unit clearly to be given tacit consent to binding and do not authenticated the restriction that word defines by certification authority.
19. the system according to claim 13 is characterized in that, the formation of described identity code comprises institutional coding and the numbering of citizen in this organizational structure.
20. the system according to claim 13 is characterized in that, described authentication word definable valid period.
21. the system according to claim 13 is characterized in that, described authentication is replied and is also comprised the additional in advance information of citizen of being demonstrate,proved.
22. the system according to claim 13 is characterized in that, described authentication service provides in the mode of internet site.
23. the system according to claim 13 is characterized in that, described authentication service provides in the mode of phone information service center.
24. the system according to claim 13 is characterized in that, described authentication service provides with the mode that the phone information service center combines with internet site.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01121335 CN1389836A (en) | 2001-05-31 | 2001-05-31 | Identity confirming method and citizen archive system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01121335 CN1389836A (en) | 2001-05-31 | 2001-05-31 | Identity confirming method and citizen archive system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1389836A true CN1389836A (en) | 2003-01-08 |
Family
ID=4664429
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 01121335 Pending CN1389836A (en) | 2001-05-31 | 2001-05-31 | Identity confirming method and citizen archive system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1389836A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100419618C (en) * | 2003-07-24 | 2008-09-17 | 皇家飞利浦电子股份有限公司 | Hybrid device and person based authorized domain architecture |
-
2001
- 2001-05-31 CN CN 01121335 patent/CN1389836A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100419618C (en) * | 2003-07-24 | 2008-09-17 | 皇家飞利浦电子股份有限公司 | Hybrid device and person based authorized domain architecture |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3465418B1 (en) | Systems and methods for providing identity scores | |
| CN102959559B (en) | For the method producing certificate | |
| CN111552955B (en) | Personal identity authentication method and device based on block chain and IPFS | |
| US7363650B2 (en) | System and method for incrementally distributing a security policy in a computer network | |
| JP3505058B2 (en) | Network system security management method | |
| US20010027527A1 (en) | Secure transaction system | |
| CN106534199B (en) | Distributed system certification and rights management platform under big data environment based on XACML and SAML | |
| US20030115322A1 (en) | System and method for analyzing security policies in a distributed computer network | |
| US20070150299A1 (en) | Method, system, and apparatus for the management of the electronic files | |
| US9037849B2 (en) | System and method for managing network access based on a history of a certificate | |
| US9825938B2 (en) | System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration | |
| US20030163686A1 (en) | System and method for ad hoc management of credentials, trust relationships and trust history in computing environments | |
| US20070061872A1 (en) | Attested identities | |
| US20070143475A1 (en) | Identification services | |
| US20110289322A1 (en) | Protected use of identity identifier objects | |
| CN101582769A (en) | Authority setting method of user access network and equipment | |
| US20140223578A1 (en) | Secure data delivery system | |
| JPH10504150A (en) | A method for securely using digital signatures in commercial cryptosystems | |
| CN112199448A (en) | Industrial and commercial registration method and system based on block chain | |
| US20040015699A1 (en) | Identification and contact information | |
| KR100375273B1 (en) | Method and system for identifying an identity on Internet | |
| Abelson et al. | Digital identity in cyberspace | |
| JP4805615B2 (en) | Access control method | |
| Greenleaf et al. | Privacy implications of digital signatures | |
| US7660770B2 (en) | System and method for providing a secure contact management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |