WO2018152597A1 - A computer system and a computer implemented method for generating a digital certificate for identification data associated with an entity - Google Patents

A computer system and a computer implemented method for generating a digital certificate for identification data associated with an entity Download PDF

Info

Publication number
WO2018152597A1
WO2018152597A1 PCT/AU2018/050175 AU2018050175W WO2018152597A1 WO 2018152597 A1 WO2018152597 A1 WO 2018152597A1 AU 2018050175 W AU2018050175 W AU 2018050175W WO 2018152597 A1 WO2018152597 A1 WO 2018152597A1
Authority
WO
WIPO (PCT)
Prior art keywords
identifier
digital certificate
identification data
entity
status
Prior art date
Application number
PCT/AU2018/050175
Other languages
French (fr)
Inventor
Brook ADCOCK
Original Assignee
Adcock Private Equity Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2017900661A external-priority patent/AU2017900661A0/en
Application filed by Adcock Private Equity Pty Ltd filed Critical Adcock Private Equity Pty Ltd
Publication of WO2018152597A1 publication Critical patent/WO2018152597A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • the present invention relates to management of identification data associated with an entity and in particular to generating a digital certificate for identification data associated with the entity.
  • Entities such as a person, a business and an organization may need to provide their identity documents), such as identity proofs, proof of addresses and registration certificates etc. for a number of reasons. Such reason may include, but are not limited to, seeking a loan or a mortgage, seeking a further registration, meeting regulatory compliances etc.
  • the present invention seeks to provide a computer system and a computer implemented method for generating one or more digital certificates for identification data associated with the entity, which will overcome or substantially mitigate at least some of the deficiencies of the prior art, or to at least provide an alternative.
  • E C C E lliptic-curve cryptography
  • R ivest S hamir
  • Adleman RSA
  • AE S 256-G C M E lliptic C urve Integrated E ncryption S cheme
  • E CIE S E lliptic C urve Digital S ignature Algorithm
  • DSA Digital S ignature Algorithm
  • the method may comprise:
  • T he method may comprise:
  • a certification request to generate the digital certificate for the identification data, the certification request including the identification data and a certification request identifier to identify the certification request;
  • the identification data transmitting, via the communication interface, the identification data to a verification module for verification of the identification data with respect to the entity, the verification module being identified by a verification module identifier;
  • the status identifier is used to determine if the digital certificate is revoked or not Particularly, the hash values used in method ensure that any changes to the verification module identifier, the transaction identifier and the certification request identifier will lead to an invalid status identifier.
  • G enerating the status identifier may comprise:
  • the method may further comprise:
  • the method may further comprise:
  • the revocation request including the certification request identifier and the status identifier; identifying the status record in the status datastore by the status identifier;
  • the hash value of the certification request identifier is equal to the fourth hash value in the status record, replacing the fourth hash value in the status record with a NU LL value to indicate that the digital certificate is revoked.
  • the method may further comprise:
  • the restoration request including the certification request identifier and the status identifier
  • the method may further comprise:
  • the method may further comprise:
  • the method may further comprise storing the digital certificate in association with the identification data in a storage device.
  • the identification data may comprise one or more of the following attributes associated with the entity:
  • G enerating the digital certificate may comprise generating the digital certificate with respect to one or more of the attributes.
  • the attributes may be provided from one or more of following sources:
  • the biometric feature may represent one or more of following features associated with the entity:
  • a fingerprint a face;
  • S toring the digital certificate may comprise storing the digital certificate in a cloud-based storage device.
  • the communication interface may comprise one or more of the following:
  • NFC Near F ield C ommunication
  • BLE Bluetooth Low E nergy
  • T he computer system for generating a digital certificate for identification data associated with an entity.
  • T he computer system may comprise:
  • a memory device configured to store machine-readable instructions
  • a bus connected to the memory device
  • processor connected to the bus, the processor obtaining via the bus the machine-readable instructions from the memory device, and being configured by the machine-readable instructions to:
  • a certification request to generate the digital certificate for the identification data, the certification request including the identification data and a certification request identifier to identify the certification request; transmit via the communication interface, the identification data to a verification module for verification of the identification data with respect to the entity, the verification module being identified by a verification module identifier;
  • T here is provided a computer software program, including machine-readable instructions, when executed by a processor, causing the processor to perform the method of any one of the preceding method claims.
  • F ig. 1 illustrates an exemplary environment of computing devices to which various embodiments of the present invention may be implemented
  • F ig. 2 illustrates an information flow diagram for generating a digital certificate for identification data associated with an entity, in accordance with an embodiment of the present invention
  • F ig. 3 illustrates an information flow diagram for revocation of the digital certificate associated with the entity, in accordance with an embodiment of the present invention
  • F ig. 4 illustrates an information flow diagram for generating a further digital certificate for the identification data associated with the entity, in accordance with an embodiment of the present invention
  • F ig. 5 illustrates an information flow diagram for verifying an identity of the entity, in accordance with an embodiment of the present invention
  • F ig. 6 illustrates an information flow diagram for verifying the identity of the entity, in accordance with another embodiment of the present invention.
  • F igs. 7A to 7C illustrate a computer implemented method for restore a revoked digital certificate for the identification data associated with the entity, in accordance with an embodiment of the present invention
  • F ig. 8 illustrates a computer implemented method for a method 800 for generating a digital certificate for identification data associated with an entity in accordance an embodiment of the present invention
  • F ig. 9 illustrates an example of the digital certificate in accordance with an embodiment of the present invention.
  • F ig. 10 illustrates an example for determining a status identifier in accordance an embodiment of the present invention.
  • F ig. 1 1 illustrates an example status record in accordance an embodiment of the present invention.
  • F igure 1 illustrates an exemplary environment 100 of computing devices to which various embodiments of the present invention may be implemented.
  • the exemplary environment 100 comprises a computing device 102.
  • the first computing device 102 is a mobile device such as a cellular phone, a palmtop, a tablet computer, a P ersonal Digital Assistant (P DA).
  • P DA P ersonal Digital Assistant
  • the computing device 102 can be, for example, a laptop, a desktop or a tablet computer.
  • the computing device 102 is used by an entity or a user.
  • the communication network 104 is a Local Area Network (LAN) or a Wide Area Network (WAN).
  • the communication network 104 is Internet.
  • F urther connected to the communication network 104 is a registration authority module 106 associated with a registration authority.
  • the registration authority may be a service provider that is responsible for the registration of an entity for a digital certificate by checking evidence of identification data provided by the entity for compliance with a respective applicable identity proofing policy in a jurisdiction.
  • a post office or a motor vehicle management department can be a registration authority.
  • the registration authority may also be responsible for the secure distribution of digital certificates to subscribers.
  • a digital certificate is an electronic document that contains identity information to identify an entity. The digital certificate may be issued from the registration authority.
  • T he registration authority module 106 comprises a memory device 1 10 configured to store machine readable instructions, a bus 1 14 connected to the memory device 1 10, a communication interface 108 connected to the bus 1 14 and a processor 1 12 connected to the bus 1 14.
  • F urther connected to the communication network 104 is a relying party module 1 16 associated with a relying party.
  • T he relying party is a recipient of a digital certificate that acts in reliance of the digital certificate and/or a digital certificate verified using the digital certificate.
  • An example of a relying party includes, but is not limited to, a liquor store, transport services, government service providers, commercial organisations, retail outlets, websites, etc.
  • T he relying party module 1 1 6 comprises a memory device 120 configured to store machine readable instructions, a bus 124 connected to the memory device 120, a communication interface 1 18 connected to the bus 124 and a processor 122 connected to the bus 124.
  • F urther, connected to the communication network 104 is a recipient device 126 associated with an individual.
  • the recipient device 126 comprises a memory device 130 configured to store machine readable instructions, a bus 134 connected to the memory device 130, a communication interface 128 connected to the bus 134 and a processor 132 connected to the bus 134.
  • each one of the communication interfaces 108, 1 18 and 128 comprise one or more of an internet interface, an NFC interface, a BLE interface and an optical information reader.
  • F urther connected to the communication network 104 is a verification module 136 associated with one or more verification services.
  • the verification module 136 is shown in F igure 1 as a separate device (for example, a separate server) for description purposes, but the verification module 136 can also be a logical or physical part of another device, for example, the registration authority module 106.
  • the verification module 136 is a verification module stack comprising one or more of a document verification module 138 and a biometric feature verification module 140.
  • F urther connected to the communication network 104 is a storage device 142.
  • the storage device 142 is configured to maintain one or more datastores 144, 146, 148 and 1 50, which may be generated or used in the present invention.
  • the storage device 142 may be one of but not limited to, a local storage device or a cloud-based storage device.
  • the computer system for generating a digital certificate for identification data associated with an entity can now be elucidated using the environment 100 as a reference.
  • F igure 2 illustrates an information flow diagram for generating a digital certificate for identification data associated with an entity, in accordance with an embodiment 200 of the present invention.
  • the entity may be an individual, a business or an organization.
  • the processor 1 12 of the registration authority module 106 obtains via the bus 1 14 the machine- readable instructions from the memory device 1 10, and is configured by the machine-readable instructions to receive, via the communication interface 108, the identification data associated with the entity.
  • the communication interface 108 is a user input interface.
  • An entity associated with the computing device 102 for example, the user of the computing device 102, presents their identity documents to the registration authority, the staff working at the registration authority enters the identification data into the registration authority module 106 via the communication interface 108.
  • the communication interface 108 includes an optical information reader, for example, a Quick R esponse (QR) code reader or a bar coder reader, to read the identification data from the identity documents if the identity documents have a Q R code or a bar code printed thereon. T he optical information reader may also be a scanner to scan the identity documents of the user.
  • the communication interface 108 is an Internet connection interface. The user may provide a web link to their identification data, and the registration authority module 106 retrieves the identification data from the web link via the communication inte rface 108.
  • the communication interface 108 includes a Near F ield C ommunication (NFC) interface or Bluetooth Low E nergy (B LE ) interface. The registration authority module 106 receives, via the NFC interface or (B LE ) interface, the identification data of the user from the computing device 102 of the user.
  • NFC Near F ield C ommunication
  • B LE Bluetooth Low E nergy
  • the communication interface 108 includes biometric feature reader to determine the biometric features of the user, which is also able to serve as at least part of the identification data of the user in the present disclosure.
  • the biometric feature reader may include for example a facial image collector, a fingerprint collector, a microphone, a gesture sensor, etc.
  • the biometric feature reader can be used to capture the real-time biometric features of the entity when the entity is presenting their identify documents.
  • the identification data comprises one or more attributes associated with the entity.
  • T hese attributes characterise different aspects of the identification data of the entity, the attributes comprise one or more of the following:
  • T he attributes are provided from or contained in one or more of following sources:
  • the processor 1 12 is configured to transmit, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the entity.
  • the document verification module 138 is configured to verify one or more identity documents for verification of the identity of the entity. For example, the verification module 138 compares the identification data received from the registration authority module 106 with the identification data pre-stored in the verification module 138 to verify the identity of the entity.
  • the biometric feature verification module 140 is configured to verify the identity of the entity using one or more biometric features selected from a group comprising the following:
  • the communication interface 108 may include more than one types of communication interfaces, for example, a biometric feature reader, a NFC interface and an Internet communication interface.
  • the biometric feature reader is used by the processor 1 12 of the registration authority module 106 to capture real-time biometric features of the entity, for example, a real-time facial or fingerprint image of the user.
  • the NFC interface is used by the processor 1 12 to receive the identification data from the computing device 102 of the user, which is stored in the computing device 102 of the user. Both the real-time biometric features captured by the biometric feature reader and the identification data received from the computing device 102 are sent from the registration authority module 106, via the Internet communication interface, to the verification module 136.
  • the verification module 136 is able to verify if the user who is providing the identification data from their computing device 102 is the entity identified in the identification data. For example, if the real-time captured biometric features and the identification data received from the computing device 102 match the biometric features and identification data pre-stored in the verification module 136, it is determined that the user who is providing the identification data from their computing device 102 is the entity identified in the identification data.
  • T he verification module 136 is configured to generate an indication indicating that the identification data is verified with respect to the entity. For example, the verification module 136 may generate an indication for one or more attributes of the identification data to indicate the particular attribute(s) is verified. F urther, the verification module 136 is configured to transmit the indication to the registration authority module 106. Further, the processor 1 12 is configured to receive the indication from the verification module 136. This way it is confirmed that the one or more documents and the one or more biometric features are valid and meet the necessary regulatory compliances. F urther, the processor 1 12 is configured to generate a digital certificate to indicate the verification of the identification data based on the indication.
  • the processor 1 12 is further configured to generate the digital certificate with respect to the one or more of the attributes. For example, one digital certificate may be issued for the name of the entity, another digital certificate may be issued for the date of birth or the date of incorporation of the entity and yet another digital certificate may be issued for the address of the entity.
  • the processor 1 12 is configured to send the digital certificate to the computing device 102 associated with the entity for the digital certificate to be stored on the computing device 102.
  • the processor 1 12 is further configured to store the digital certificate in association with the identification data in the storage device 142.
  • the identification data may be stored in an identification data datastore 144 and the digital certificate may be stored in the digital certificate datastore 146.
  • the processor 1 12 is further configured to generate an identifier associated with the digital certificate and store the identifier in the storage device 142 in association with the digital certificate. In that manner it is envisaged that, the identifier may be stored in an identifier datastore 148.
  • the identification data datastore 144, the digital certificate datastore 146 and the identifier datastore 148 are associated with each other therefor the digital certificate datastore 146 and the identification data datastore 144 can be queried using a unique identifier in the identifier datastore 148.
  • T he above process is applicable to a scenario where a user or an entity intends to obtain a digital certificate for their driver s license.
  • the entity is an individual user
  • the registration authority is a postal service
  • the document verification service is a motor registry.
  • the registration authority module 106 associated with the postal service receives the identification data of the user, which is recorded in the driver s license, via the Internet, or NFC or by scanning a QR code, as described above.
  • the processor 1 12 of the registration authority module 106 transmits the identification data to the document verification module 138 associated with the motor registry and receives the indication from the document verification module 138 that the driver s licence is verified.
  • the registration authority module 106 associated with the postal service then issues a digital certificate for attributes contained in the driver s license, such as the name of the user, the date of birth of the user and the address of the user. T he digital certificate and the attributes may be stored in an encrypted or unencrypted form on the computing device 102 of the user.
  • T he above process is also applicable to a scenario where a user or an entity generates a digital certificate for their driver s license by themselves.
  • the registration authority module 106 is a physical or logical part of the computing device 102 of the user.
  • T he digital certificate thus generated may be used by the entity with a relying party (for example, a liquor store, transport services, government service providers, commercial organisations, retail outlets, websites, etc.) as a proof of identity.
  • a relying party for example, a liquor store, transport services, government service providers, commercial organisations, retail outlets, websites, etc.
  • the digital certificate is stored on the computing device 102, it is both secure and convenient to share the digital certificate with the relying entity, particularly, the device associated with the relying entity.
  • the computing device 102 is accessed by an unauthorized party and hence the digital certificate is stolen or compromised, the entity may request for revocation of the digital certificate. It is envisaged that before the request for revocation could be accepted, that entity may need to provide the identifier and/or answer certain security questions and/or provided certain exclusive information etc. to establish the identity of the entity. Once the identity of the entity has been established and verified a revocation request could be processed.
  • F igure 3 illustrates an information flow diagram for revocation of the digital certificate associated with the entity, in accordance with a n embodiment 300 of the present invention.
  • the processor 1 12 is further configured to receive a request for revocation of the digital certificate associated with the entity.
  • the processor 1 12 is further configured to store the identifier associated with the digital certificate in a revocation datastore 150 to indicate that the digital certificate associated with the entity is revoked.
  • the revocation datastore 150 is a publicly accessible datastore and any relying party can check if the digital certificate provided to the relying party, by the entity, has been revoked or not when the relying party is conducting a transaction with the entity. It is also desirable, that the entity may want an issue of a further digital certificate to restore the proof of identity of the entity.
  • F igure 4 illustrates an information flow diagram for generating a further digital certificate for the identification data associated with the entity, in accordance with an embodiment 400 of the present invention.
  • the processor 1 12 is further configured to receive, via the communication interface 108, the identification data associated with the entity.
  • the processor 1 12 is further configured to transmit, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the entity.
  • the verification module 136 in turn is configured to generate a further indication on verification of the identification data and transmit the further indication to the registration authority module 106.
  • the processor 1 12 in turn is configured to receive from the verification module 136 the further indication indicating that the identification data is verified with respect to the entity.
  • the processor 1 12 is configured to generate a further digital certificate to indicate the verification of the identification data based on the indication. Further, the processor 1 12 is configured to generate a further identifier associated with the further digital certificate and the identifier. Also, the processor 1 12 is configured to store the further identifier in association with the identifier in the revocation datastore 150 to indicate that the further digital certificate is not revoked.
  • the further digital certificate obtained may be used to establish the identity of the entity with a relying party, such as a liquor store needing a proof of age of an individual or a highway toll service needing a proof of a valid driver s license of the individual.
  • F igure 5 illustrates an information flow diagram for verifying an identity of the entity, in accordance with an embodiment 500 of the present invention.
  • the processor 122 of the relying party module 1 1 6 obtains, via the bus 124, the machine-readable instructions from the memory device 120, is being configured by the machine-readable instructions to send, via the communication interface 1 18, a first request to the computing device 102 associated with the entity for a first digital certificate associated with the entity. It is to be noted here that the first digital certificate has been generated by the registration authority module 106 and sent to the computing device 102.
  • the processor 122 is further configured to send, via the communication interface 1 18, a second digital certificate associated with a further entity to the computing device 102 associated the entity for the computing device 102 to verify the second digital certificate associated with the further entity.
  • the further entity refers to the relying party.
  • the processor 122 is further configured to receive, via the communication interface 1 18, a second indication indicative of an outcome of the verification of the second digital certificate. T he verification of the second digital certificate is to ensure that the computing device 102 is sharing the identification data with a reliable entity. In that manner, it is envisaged that the computing device 102 may be configured to identify a digital signature provided by the registration authority module 106 in the second digital certificate. The outcome may be success " :denial " or :alarm ⁇ :S uccess " may signify that the second digital certificate is verified, :deniaTmay signify that the second digital certificate is not verified and :alarm " may signify that the second digital certificate is fraudulent
  • the processor 122 is configured to receive, via the communication interface 1 18, the first digital certificate from the computing device 102. T he receiving of the first digital certificate is to ensure that the entity associated with the computing device 102 is reliable and registered. F urther, the processor 122 is configured to verify the first digital certificate associated with the entity. F urther, the processor 122 is configured to generate a first indication indicative of an outcome of the verification of the first digital certificate. In that manner, it is envisaged that the processor 122 may be configured to identify a digital signature provided by the registration authority module 106 in the first digital certificate.
  • the outcome may be success " idenial " or :alarm ⁇ :S uccess " may signify that the first digital certificate is verified, :deniaT may signify that the first digital certificate is not verified and :alarnrf may signify that the first digital certificate is fraudulent Further, the processor 122 is configured to send the first indication to the computing device 102 associated with the entity.
  • the processor 122 is further configured to send, via the communication interface 1 18, a second request to the computing device 102 associated with the entity for access to the identification data associated with the entity.
  • the second request may include a usage constraint
  • the usage constraint includes an expiration time. S pecifically, the expiration time is a deadline by which the processor 122 is required to receive the identification data.
  • the processor 122 is configured to receive, via the communication interface 1 18, the identification data associated with the entity within the usage constraint For example, the processor 122 is configured to receive the identification data associated with the entity from the computing device 102 before the expiration time.
  • the usage constraint can also include an indication indicative of for example how the identification data is disseminated or distributed, how the identification data is presented.
  • the usage constraint may require the identification data to be received from a US B drive, a remote datastore, or a Quick R esponse (QR) code or a bar code printed on a printable medium.
  • QR Quick R esponse
  • the processor 122 needs to verify the identification data with the verification module 136.
  • the processor 122 is further configured to verify the identification data associated with the entity by sending, via the communication interface, the identification data and to the verification module 136 for verification of the identification data and receiving from the verification module 136 the outcome of the verification of the identification data.
  • the outcome may be success " :denial " or :alarm ⁇ :S uccess " may signify that the identification data is verified for an attribute, idenial " may signify that identification data has not been verified for the attribute and :alarm " may signify that the identification data is fraudulent
  • T he above process is applicable to a scenario where an entity for example, individual conducts a transaction with a relying party.
  • the entity is an individual user and the relying party is a road network management organization, which an organisation that maintains and manages road networks.
  • the registration authority in this example may be a postal service. Both the individual user and road network management organisation have registered with the registration authority and have been issued respective digital certificates.
  • the road network management organization may send a first request asking for individual s driver s license at a check point on one of the roads under management
  • the first request may include the digital certificate of the road network management.
  • the first request may be sent using the communication network 104, such as the internet.
  • the individual verifies the digital certificate of road network management on the computing device 102 and sends the digital certificate of their driver s license to the relying party module 1 16 associated with the road network management.
  • the relying party module 1 1 6 checks the revocation datastore 1 50 with respect to user s digital certificate in order to determine if the user s digital certificate is revoked. If the user s digital certificate is not revoked, the relying party module 1 1 6 associated with the road network management verifies the user s digital certificate.
  • the relying party module 1 16 may also receive the user s identification data from the computing device 102 of the user, and then sends the user s identification data to the verification module 136 for verification. If the outcome of the verification module 136 is a success " the digital certificate of the user s driver license is verified. T his means this user is using a legitimate driver s license.
  • an individual may be able to verity another individual for an attribute.
  • the recipient device 126 associated with a recipient may be able to request digital certificate issued by a registration authority, from the entity associated with the computing device 102.
  • F igure 6 illustrates an information flow diagram for verifying the identity of the entity, in accordance with another embodiment 600 of the present invention.
  • the processor 132 obtains, via the bus 134, the machine-readable instructions from the memory device 130, and is configured by the machine- readable instructions to receive, via the communication interface 128, the digital certificate from the computing device 102 associated with the entity i.e., the sender.
  • F urther similar to the discussion above, using a digital signature of the registration authority module 106, the processor 132 is configured to verify the digital certificate associated with the sender.
  • the processor 132 is configured to generate an indication indicative of an outcome of the verification of the first digital certificate.
  • the outcome may be success " :denial " or :alarm ⁇ :S uccess " may signify that the digital certificate associated with the sender is accepted by the recipient.
  • iDeniaT may signify that the digital certificate associated with the sender is not accepted by the recipient or the sender refuses to be verified.
  • :alarm may signify that the digital certificate associated with the sender is fraudulent.
  • the processor 132 is configured to send the indication to the computing device 102 associated with the sender.
  • F igure 7A to 7C illustrates a computer implemented method 700 for restoring a revoked digital certificate for the identification data associated with the entity, in accordance with an embodiment of the present invention.
  • the method begins at step 710 when the processor 1 12 receives, via the communication interface 108, the identification data associated with the entity.
  • the processor 1 12 transmits, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the entity.
  • the processor 1 12 receives from the verification module an indication indicating that the identification data is verified with respect to the entity.
  • the processor 1 12 generates the digital certificate to indicate the verification of the identification data based on the indication.
  • generating the digital certificate comprises generating the digital certificate with respect to the one or more of the attributes.
  • generating the digital certificate comprises generating a pair of a public key and a private key and encrypting the digital certificate with the public key.
  • the processor 1 12 sends the digital certificate to the computing device 102 associated with the entity for the digital certificate to be stored on the computing device 102.
  • he processor 1 12 may further store the digital certificate in association with the identification data in the storage device 142.
  • storing the digital certificate in association with the identification data comprises storing the digital certificate, via the communication network 104, in association with the identification data in the storage device 142.
  • storing the digital certificate comprises storing the digital certificate in a cloud-based storage device.
  • the method 700 further comprises generating 752 the identifier associated with the digital certificate and storing 754 the identifier in the storage device 142 in association with the digital certificate. In one embodiment of the invention, the method 700 further comprises receiving 756 the request for revocation of the digital certificate associated with the entity and storing 758 the identifier associated with the digital certificate in the revocation datastore 150 to indicate that the digital certificate associated with the entity is revoked.
  • the method 700 further comprises receiving 760, via the communication interface 108, the identification data associated with the entity.
  • the method 700 comprises transmitting 762, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the entity.
  • the method 700 comprises receiving 764 from the verification module 136 the further indication indicating that the identification data is verified with respect to the entity.
  • the method 700 comprises generating 766 the further digital certificate to indicate the verification of the identification data based on the indication.
  • the method 700 comprises generating 768 the further identifier associated with the further digital certificate and the identifier.
  • the method 700 comprises storing 770 the further identifier in association with the identifier in the revocation datastore 150 to indicate that the further digital certificate is not revoked.
  • F ig. 8 illustrates a method 800 for generating a digital certificate for identification data associated with an entity in accordance an embodiment of the present invention.
  • T he method 800 is performed by the registration authority module 106, particularly, the processor 1 12 of the registration authority module 106.
  • the entity associated with the computing device 102 stores their identification data on the computing device 102.
  • the user enters the identification data (for example, passport information including a name, nationality, a date of birth, gender, issuing authority, an expiration date, etc) into computing device 102 via a keyboard or touch screen of the computing device 102.
  • the computing device 102 includes an optical information reader, for example, a Quick R esponse (Q R) code reader or a bar code reader, to read the identification data from the identity documents if the identity documents have a Q R code or a bar code printed thereon.
  • Q R Quick R esponse
  • T he optical information reader may also be a scanner to scan the identity documents of the user.
  • the computing device 102 includes an Internet connection interface.
  • the user may provide a web link to their identification data, and the computing device 102 retrieves the identification data from the web link.
  • the computing device 102 includes a Near F ield C ommunication (NFC) interface or Bluetooth Low E nergy (BLE ) interface.
  • NFC Near F ield C ommunication
  • BLE Bluetooth Low E nergy
  • the computing device 102 receives, via the NFC interface or (B LE ) interface, the identification data of the user from a data source.
  • the computing device 102 generates a pair of signing key for signature including a public signing key and a private signing key using a key generation algorithm, for example, E lliptic-curve cryptography (E C C), R ivest " S hamir ' Adleman (RSA), etc. Also, the computing device 102 generates a pair of encryption key for encryption including a public encryption key and a private encryption key.
  • the registration authority module 106 generates a pair of signing key for signature including a public signing key and a private signing key using a key generation algorithm, for example, E lliptic-curve cryptography (E C C), R ivest " S hamir " Adleman (RSA), etc.
  • registration authority module 106 generates a pair of encryption key for encryption including a public encryption key and a private encryption key.
  • the computing device 102 and the registration authority module 106 conduct a handshake process following initialisation to confirm each other s identity.
  • the public signing key and the public encryption of the computer device 102 are sent to the registration authority module 106, and the public signing key and the public encryption key of the registration module 106 are sent to the computing device 102.
  • the certification request includes the identification data and a certification request identifier to identify the certification request
  • An example of the identification data includes a name (F irst name: J ohn, Last name: S mith), nationality (Australia), a date of birth (27 J uly 1964), gender (Male), Identification Type (Passport), issuing authority (Australian Passport Office).
  • An example of the certification request identifier is 10123456.
  • the computing device 102 sends the certification request to the registration authority module 106.
  • the processor 1 12 of the registration authority module 106 receives, via the communication interface 108, the certification request including the identification data and the certification request identifier.
  • the processor 1 12 of the registration authority module 106 extracts the identification data from the certification request and transmits, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the user.
  • the registration authority module 136 may interact with multiple verification modules to verify different types of identification data, for example, Australian Passport Office, Australian Tax Office, etc.
  • E ach of the verification modules is identified by a verification module identifier (for example, CA-IA-PAS S P ORT OF FIC E for the verification module 136) within the registration authority module 106 for the registration authority module 106 to identify the verification module.
  • the verification module 136 in this example is a server of the authority that issues the passport for the user identified by the identification data, i.e., J ohn S mith. T he verification module 136 verifies the identification data and returns a verification response to the registration authority module 106.
  • the verification response includes an indication indicating that the identification data is verified with respect to the user (for example, a Boolean Value: T R U E ) and a transaction identifier (for example, IA-Passport-123456) identifying the identification data that has been verified.
  • the transaction identifier is used in future communication with the verification module 136 in relation to the identification data and status of the identification data.
  • T he verification module 136 sends the verification response to the registration authority module 106 and the processor 1 12 of the registration authority module 106 receives 830 the indication and the transaction identifier.
  • the processor 1 12 of the registration authority module 106 determines a status identifier based on hash values of the verification module identifier, the transaction identifier and the certification request identifier.
  • the status identifier is used to determine if the digital certificate is revoked or not.
  • the hash values used in method 800 ensure that any changes to the verification module identifier, the transaction identifier and the certification request identifier will lead to an invalid status identifier. This way, the status of the digital certificate can be determined, as described in detail below.
  • the processor 1 12 of the registration authority module 106 generates the digital certificate.
  • T he digital certificate includes the identification data, the indication and the status identifier.
  • An example 900 of the digital certificate is shown in F ig. 9.
  • the processor 1 12 of the registration authority module 106 sends the digital certificate 900 to the computing device 102 associated with the user for the digital certificate 900 to be stored on the computing device 102. T his way, the user is able to use the digital certificate 900 to conduct transactions with the relying party module 1 16.
  • F ig. 10 illustrates an example 1000 for determining the status identifier based on the hash values of of the verification module identifier (i.e., CA-IA- PAS S PORT OF FIC E ), the transaction identifier (i.e., IA-Passport-123456) and the certification request identifier (i.e., 10123456).
  • the status identifier is generated based on a Merkel Tree.
  • the verification module identifier denoted by a J
  • the transaction identifier denoted J
  • the certification request identifier denotes the inputs of the Merkel Tree.
  • the processor 1 12 of the registration authority module 106 applies a hash operation to the verification module identifier to determine a first hash value (i.e., c44b8874, denoted by " A J.
  • the processor 1 12 of the registration authority module 106 applies the hash operation to the transaction identifier to determine a second hash value (i.e., 14faaad9, denoted by " B J. T he processor 1 12 of the registration authority module 106 applies the hash operation to a combination (i.e., c44b887414faaad9) of the first hash value and the second hash value to determine a third hash value (i.e., e4ed87d6, denoted by " C J.
  • the processor 1 12 of the registration authority module 106 applies the hash operation to the certification request identifier to determine a fourth hash value (i.e., 590371 fd, denoted by " D J.
  • the processor 1 12 of the registration authority module 106 applies the hash operation to a combination (i.e., e4ed87d6590371 fd) of the third hash value and the fourth hash value to determine a fifth hash value (i.e., 9a1 fd371 , denoted by " R OOT J.
  • the fifth hash value is the hash value of the root node of the Merkel T ree in F ig. 10.
  • the fifth hash value is determined to be the status identifier in example 1000.
  • the hash operation used in the example is C R C 32
  • other hash operations can also be used without departing from the scope of the invention, for example, C R C-1 6, MD2, MD4, MD5, S HA-256, etc.
  • the third hash value is referred to as IA-Hash-UUID
  • the fourth hash value is referred to as IO-Hash-UUID.
  • T he processor 1 12 of the registration authority module 106 further generates a status record.
  • the status record includes a " Status Identifier , field to contain the status identifier associated with the digital certificate, an " IA-Hash-UUID _ field to contain the IA-Hash-UUID in the Merkel Tree, an TO-Hash-UUID _ field to contain the IO-Hash-UUID in the Merkel Tree.
  • An example status record 1 100 is shown in F ig. 1 1.
  • the processor 1 12 of the registration authority module 106 stores the status record in a status datastore, for example, the revocation datastore 150.
  • the computing device 102 extracts the status identifier from the digital certificate 900 stored thereon. As shown in F ig. 9, the status identifier associated with the digital certificate 900 is 9a1 fd371.
  • the computing device 102 generates a revocation request including the certification request identifier (i.e., 10123456) and the status identifier, and sends the revocation request to the registration authority module 106.
  • the processor 1 12 of the registration authority module 106 receives the revocation request to revoke the digital certificate associated with the user and extracts the status identifier (i.e., 9a1 fd371 ) and the certification request identifier from the revocation request.
  • the processor 1 12 of the registration authority module 106 searches the status datastore and identifies the status record 1 100 in the status datastore by the status identifier.
  • T he processor 1 12 of the registration authority module 106 applies the hash operation (for example, C R C32) to the certification request identifier (i.e., 10123456) to determine a hash value of the certification request identifier.
  • the hash value determined is 590371 fd.
  • the hash value of the certification request identifier is equal to the hash value in the TO-Hash-UUID _ field of the status record 1 100, this means the digital certificate 900 has not been revoked, then the processor 1 12 of the registration authority module 106 replaces the hash value in the TO-Hash-UUID _ field of the status record 1 100 with a NU LL value to indicate that the digital certificate 900 is revoked.
  • the computing device 102 in order to restore the revoked digital certificate 900, the computing device 102 generates a restoration request including the certification request identifier (i.e., 10123456) and the status identifier (i.e., 9a1 fd371 ), and sends the restoration request to the registration authority module 106.
  • the processor 1 12 of the registration authority module 106 receives the restoration request and extracts the status identifier (i.e., 9a1 fd371 ) and the certification request identifier (i.e., 10123456) from the restoration request.
  • the processor 1 12 of the registration authority module 106 searches the status datastore and identifies the status record 1 100 in the status datastore by the status identifier.
  • the processor 1 12 of the registration authority module 106 applies the hash operation (for example, C R C32) to the certification request identifier (i.e., 10123456) to determine a hash value of the certification request identifier. T he hash value determined is 590371 fd.
  • the processor 1 12 of the registration authority module 106 replaces the NU LL value in the TO-Hash-U UID _ field of the status record 1 100 with the hash value (i.e., 590371 fd) of the certification request identifier to indicate that the revoked digital certificate 900 is restored.
  • the revocation can be initiated by the verification module 136.
  • the verification module 136 generates a revocation request to revoke the digital certificate 900 associated with the user.
  • the revocation request includes the transaction identifier (i.e., IA-Passport-123456).
  • T he verification module 136 sends the revocation request to the registration authority module 106.
  • T he processor 1 12 of the registration authority module 106 receives the revocation request and exacts the transaction identifier (i.e., IA-Passport- 123456) from the revocation request.
  • processor 1 12 of the registration authority module 106 applies the hash operation to the verification module identifier (i.e., CA-IA-PAS S PO RT OF FIC E ) to determine the first hash value (i.e. c44b8874).
  • the processor 1 12 of the registration authority module 106 further applies the hash operation to the transaction identifier (i.e., IA-Passport-123456) to determine the second hash value (i.e. 14faaad9).
  • the processor 1 12 of the registration authority module 106 applies the hash operation to the combination (i.e., c44b887414faaad9) of the first hash value and the second hash value to determine the third hash value (i.e., e4ed87d6).
  • the processor 1 12 of the registration authority module 106 searches the ⁇ - Hash-UUID _ field in the status datastore by the third hash value and identifies the data record 1 100 in the status datastore.
  • the processor 1 12 of the registration authority module 106 replaces the third hash value (i.e., e4ed87d6) in the ' II mLt / iZI- I5 *bt1 ⁇ 2 IX. the status record 1 100 with a NU LL value to indicate that the digital certificate 900 is revoked.
  • the user is able to use the digital certificate 900 to conduct transactions with the relying party module 1 1 6.
  • the digital certificate 900 with the status identifier (i.e., 9a1 fd371 ) is sent by the user from the computing device 102 to the relying party module 1 1 6.
  • P rior to conducting transactions with the user the relying party module 1 16 needs to verify that the digital certificate 900 is not revoked.
  • T he relying party module 1 16 generates a status enquiry request to check if the digital certificate 900 associated with the used is revoked or not.
  • the status enquiry request includes the status identifier.
  • the relying party module 1 1 6 sends the status enquiry request to the registration authority module 102.
  • the processor 1 12 of the registration authority module 106 receives the status enquiry request and extracts the status identifier (i.e., 9a1 fd371 ) from the status enquiry request.
  • T he processor 1 12 of the registration authority module 106 searches " S tatus Identifier , field of the status datastore by the status identifier (i.e., 9a1 fd371 ) and identifies the status record 1 100 in the status datastore.
  • the processor 1 12 of the registration authority module 106 extracts a hash value (i.e., e4ed87d6) from the TA-Hash-UUID _ field of the status record 1 100 and another hash value (i.e. 590371 fd) from the TO-Hash-UUID _ field of the status record 1 100.
  • the processor 1 12 of the registration authority module 106 constructs a combination (i.e., e4ed87d6590371 fd) of the two hash values and applies the hash operation to the combination to determine a hash value (i.e., 9a1 fd371 ).
  • the hash value determined is equal to the status identifier associated with the digital certificate 900, it is determined that the digital certificate 900 is not revoked.
  • the processor 1 12 of the registration authority module 106 generates a first message indicating that the digital certificate 900 is not revoked and sends the first message to the relying party module 1 1 6.
  • the relying party module 1 16 proceed with transactions with the user using the digital certificate 900.
  • the processor 1 12 of the registration authority module 106 generates a second message indicating that the digital certificate 900 has been revoked and sends the second message to the relying party module 1 16.
  • the relying party module 1 16 rejects transactions with the user using the digital certificate 900.
  • T he method steps as described above may be implemented as computer program code instructions executable by the respective processors of the registration authority module 106, the relying party module 1 16, and the recipient device 126.
  • the computer program code instructions may be divided into one or more computer program code instruction libraries, such as dynamic link libraries (DLL), wherein each of the libraries performs one or more steps of the method. Additionally, a subset of the one or more of the libraries may perform graphical user interface tasks relating to the steps of the method.
  • DLL dynamic link libraries
  • bus . and its derivatives while being described in an embodiment as being a communication bus subsystem for interconnecting various devices including by way of parallel connectivity such as Industry S tandard Architecture (ISA), conventional P eripheral C omponent Interconnect (PCI) and the like or serial connectivity such as P CI E xpress (PCIe), S erial Advanced Technology Attachment (S erial ATA) and the like, should be construed broadly herein as any system for communicating data.
  • parallel connectivity such as Industry S tandard Architecture (ISA), conventional P eripheral C omponent Interconnect (PCI) and the like
  • serial connectivity such as P CI E xpress (PCIe), S erial Advanced Technology Attachment (S erial ATA) and the like
  • PCIe P CI E xpress
  • S erial ATA S erial Advanced Technology Attachment
  • S imilarly objects as used herein such as :web server “ server “ iclient computing device “ xomputer readable medium “ and the like should not necessarily be construed as being a single object, and may be implemented as a two or more objects in cooperation, such as, for example, a web server being construed as two or more web servers in a server farm cooperating to achieve a desired goal or a computer readable medium being distributed in a composite manner, such as program code being provided on a compact disk activatable by a license key downloadable from a computer network.
  • module _ for example, "registration authority module . , " verification module . , or " relying party module .
  • module _ for example, "registration authority module . , " verification module . , or " relying party module .
  • module _ for example, "registration authority module . , " verification module . , or " relying party module .
  • the term that refer to a " module _ is described as a physical and separate device (for example, a separate server), but the term can also represent a logical or physical part of another device.
  • datastore and its derivatives may be used to describe a single datastore, a set of datastores, a system of datastores or the like.
  • the system of datastores may comprise a set of databases wherein the set of databases may be stored on a single implementation or span across multiple implementations.
  • database is also not limited to refer to a certain database format rather may refer to any database format
  • database formats may include MyS QL, MyS QLi , X ML or the like.
  • processor may refer to any device or portion of a device that processes electronic data, e.g., from registers and/or memory to transform that electronic data into other electronic data that, e.g., may be stored in registers and/or memory.
  • a computer or a computing device , or a computing machine , or a computing platform , may include one or more processors.
  • the methodologies described herein are, in one embodiment, performable by one or more processors that accept computer-readable (also called machine-readable) code containing a set of instructions that when executed by one or more of the processors carry out at least one of the methods described herein.
  • Any processor capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken are included.
  • a typical processing system that includes one or more processors.
  • the processing system further may include a memory subsystem including main RAM and/or a static RAM, and/or RO M.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

There is provided a computer implemented method (800) for generating a digital certificate (900) for identification data associated with an entity. The method (800) comprises: receiving (810), via a communication interface (108), a certification request to generate the digital certificate (900) for the identification data, the certification request including the identification data and a certification request identifier to identify the certification request; transmitting (820), via the communication interface (108), the identification data to a verification module (136) for verification of the identification data with respect to the entity, the verification module (136) being identified by a verification module identifier; receiving (830) from the verification module (136) an indication indicating that the identification data is verified with respect to the entity and a transaction identifier identifying the identification data; determining (840) a status identifier based on hash values of the verification module identifier, the transaction identifier and the certification request identifier; generating (850) the digital certificate (900) including the identification data, the indication and the status identifier; and sending (860) the digital certificate (900) to a computing device (102) associated with the entity for the digital certificate (900) to be stored on the computing device (102).

Description

A COMPUTER SYSTEM AND A COMPUTER IMPLEMENTED METHOD FOR GENERATING A DIGITAL CERTIFICATE FOR IDENTIFICATION DATA ASSOCIATED WITH AN ENTITY
Field of the Invention
[1] The present invention relates to management of identification data associated with an entity and in particular to generating a digital certificate for identification data associated with the entity.
Background of the Invention
[2] Entities such as a person, a business and an organization may need to provide their identity documents), such as identity proofs, proof of addresses and registration certificates etc. for a number of reasons. Such reason may include, but are not limited to, seeking a loan or a mortgage, seeking a further registration, meeting regulatory compliances etc.
[3] However, every time a new registration is needed for the entity, such as issue of a drivers license or a passport, a new identification number may be created for the entity. While it is already a tedious task for the entity to maintain and secure documentary proof of all the registrations, it also adds a number of undesirable redundancies in the entire system of functioning of the government or the authority. First different authorities have to maintain separate datastores (for example, databases) for the same entity. Further, each time a registration is initiated, the concerned authority has to run verification checks to ensure validity of the provided documents. This not only leads to excessive efforts, but also costs substantial time and financial resource. The problem is further worsened in situations for example during medical emergencies, where there may not be sufficient time to run verification checks on the identity of a patient or source his or her medical history from different sources.
[4] The present invention seeks to provide a computer system and a computer implemented method for generating one or more digital certificates for identification data associated with the entity, which will overcome or substantially mitigate at least some of the deficiencies of the prior art, or to at least provide an alternative.
[5] It is to be understood that, if any prior art information is referred to herein, such reference does not constitute an admission that the information forms part of the common general knowledge in the art, in Australia or any other country.
[6] The terms used in the present invention in relation to cryptography and related algorithms, for example, hash operation, hash value, digital signature, public key, private key, verification, encryption, decryption, E lliptic-curve cryptography (E C C), R ivest"S hamir"Adleman (RSA), AE S 256-G C M, E lliptic C urve Integrated E ncryption S cheme (E CIE S ), E lliptic C urve Digital S ignature Algorithm (E C DSA), Digital S ignature Algorithm (DSA), C R C-16, C R C-32, MD2, MD4, MD5, S HA-256, etc., should be interpreted under the context of cryptography and related industrial practice.
S ummary of the Invention
[7] There is provided a computer implemented method for restoring a revoked digital certificate for identification data associated with an entity. The method may comprise:
receiving, via a communication interface, the identification data associated with the entity;
transmitting, via the communication interface, the identification data to a verification module for verification of the identification data with respect to the entity;
receiving from the verification module an indication indicating that the identification data is verified with respect to the entity;
generating a digital certificate to indicate the verification of the identification data based on the indication;
generating an identifier associated with the digital certificate; and storing the identifier in a storage device in association with the digital certificate;
receiving a request for revocation of the digital certificate associated with the entity; storing the identifier associated with the digital certificate in a revocation datastore to indicate that the digital certificate associated with the entity is revoked;
receiving, via the communication interface, the identification data associated with the entity;
transmitting, via the communication interface, the identification data to the verification module for verification of the identification data with respect to the entity;
receiving from the verification module a further indication indicating that the identification data is verified with respect to the entity;
generating a further digital certificate to indicate the verification of the identification data based on the indication;
generating a further identifier associated with the further digital certificate and the identifier; and
storing the further identifier in association with the identifier in the revocation datastore to indicate that the further digital certificate is not revoked.
[8] There is provided a computer implemented method for generating a digital certificate for identification data associated with an entity. T he method may comprise:
receiving, via a communication interface, a certification request to generate the digital certificate for the identification data, the certification request including the identification data and a certification request identifier to identify the certification request;
transmitting, via the communication interface, the identification data to a verification module for verification of the identification data with respect to the entity, the verification module being identified by a verification module identifier;
receiving from the verification module an indication indicating that the identification data is verified with respect to the entity and a transaction identifier identifying the identification data; determining a status identifier based on hash values of the verification module identifier, the transaction identifier and the certification request identifier;
generating the digital certificate including the identification data, the indication and the status identifier; and
[9] sending the digital certificate to a computing device associated with the entity for the digital certificate to be stored on the computing device. The status identifier is used to determine if the digital certificate is revoked or not Particularly, the hash values used in method ensure that any changes to the verification module identifier, the transaction identifier and the certification request identifier will lead to an invalid status identifier.
[10] G enerating the status identifier may comprise:
applying a hash operation to the verification module identifier to determine a first hash value;
applying the hash operation to the transaction identifier to determine a second hash value;
applying the hash operation to a combination of the first hash value and the second hash value to determine a third hash value;
applying the hash operation to the certification request identifier to determine a fourth hash value; and
applying the hash operation to a combination of the third hash value and the fourth hash value to determine a fifth hash value as the status identifier.
[1 1 ] The method may further comprise:
generating a status record including the status identifier, the third hash value, and the fourth hash value; and
storing the status record in a status datastore.
[12] The method may further comprise:
receiving a revocation request to revoke the digital certificate associated with the entity; the revocation request including the certification request identifier and the status identifier; identifying the status record in the status datastore by the status identifier;
applying the hash operation to the certification request identifier to determine a hash value of the certification request identifier;
if the hash value of the certification request identifier is equal to the fourth hash value in the status record, replacing the fourth hash value in the status record with a NU LL value to indicate that the digital certificate is revoked.
[13] The method may further comprise:
receiving a restoration request to restore the revoked digital certificate associated with the entity; the restoration request including the certification request identifier and the status identifier;
identifying the status record in the status datastore by the status identifier;
applying the hash operation to the certification request identifier to determine the fourth hash value;
replacing the NU LL value in the status record with the fourth hash value to indicate that the revoked digital certificate is restored.
[14] The method may further comprise:
receiving a revocation request to revoke the digital certificate associated with the entity; the revocation request including the transaction identifier;
applying the hash operation to the verification module identifier to determine the first hash value;
applying the hash operation to the transaction identifier to determine the second hash value;
applying the hash operation to the combination of the first hash value and the second hash value to determine the third hash value;
identifying the status record in the status datastore by the third hash value;
replacing the third hash value in the status record with a NU LL value to indicate that the digital certificate is revoked. [1 5] The method may further comprise:
receiving a status enquiry request to check if the digital certificate associated with the entity is revoked or ηοζ the status enquiry request including the status identifier;
identifying the status record in the status datastore by the status identifier;
determining the other two hash values in the status record; applying the hash operation to a combination of the other two hash values in the status record to determine a hash value;
if the status identifier is equal to the hash value, generating a first message indicating that the digital certificate is not revoked; and
if the status identifier is not equal to the hash value, generating a second message indicating that the digital certificate is revoked.
[1 6] The method may further comprise storing the digital certificate in association with the identification data in a storage device.
[17] The identification data may comprise one or more of the following attributes associated with the entity:
a name;
a registered address;
a date of birth;
a date of incorporation;
a digitised photograph;
a healthcare system identification;
a vehicle license registration number;
a passport number;
a tax file number;
a social security number;
a date of issue;
a biometric feature;
a social network identifier;
an email address;
a date of expiry; a specification of rights;
a specification of restrictions;
a specification of security classifications;
an access key; and
a company registration number.
[18] G enerating the digital certificate may comprise generating the digital certificate with respect to one or more of the attributes.
[19] The attributes may be provided from one or more of following sources:
a photo identification document;
a passport;
a driver s license;
a proof of residence;
a citizenship certificate;
a residency certificate;
a university certificate;
a company registration certificate;
a rates notice;
a biometric feature datastore;
a biometric feature collector;
a birth certificate;
a death certificate;
a trust deed;
a certificate of compliance;
a certificate of qualification;
a certificate of authority;
a certificate of registration;
a certificate of ownership;
a certificate of authenticity; and
a marriage certificate.
[20] The biometric feature may represent one or more of following features associated with the entity:
a fingerprint; a face;
an iris;
a sclera;
a retina;
a gesture;
a gene information;
a deoxyribonucleic acid (DNA) information;
a signature;
hand or finger geometry;
deep tissue illumination; and
voice.
[21 ] S toring the digital certificate may comprise storing the digital certificate in a cloud-based storage device.
[22] The communication interface may comprise one or more of the following:
an Internet connection interface;
a Near F ield C ommunication (NFC) interface;
a Bluetooth Low E nergy (BLE ) interface; and
an optical information reader.
[23] There is provided a computer system for generating a digital certificate for identification data associated with an entity. T he computer system may comprise:
a memory device configured to store machine-readable instructions; a bus connected to the memory device;
a communication interface connected to the bus; and
a processor connected to the bus, the processor obtaining via the bus the machine-readable instructions from the memory device, and being configured by the machine-readable instructions to:
receive, via the communication interface, a certification request to generate the digital certificate for the identification data, the certification request including the identification data and a certification request identifier to identify the certification request; transmit via the communication interface, the identification data to a verification module for verification of the identification data with respect to the entity, the verification module being identified by a verification module identifier;
receive from the verification module an indication indicating that the identification data is verified with respect to the entity and a transaction identifier identifying the identification data;
determine a status identifier based on hash values of the verification module identifier, the transaction identifier and the certification request identifier;
generate the digital certificate including the identification data and the status identifier; and
send the digital certificate to a computing device associated with the entity for the digital certificate to be stored on the computing device.
[24] T here is provided a computer software program, including machine-readable instructions, when executed by a processor, causing the processor to perform the method of any one of the preceding method claims.
B rief Des cription of the Drawings
[25] Notwithstanding any other forms which may fall within the scope of the present invention, one or more embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which:
[26] F ig. 1 illustrates an exemplary environment of computing devices to which various embodiments of the present invention may be implemented;
[27] F ig. 2 illustrates an information flow diagram for generating a digital certificate for identification data associated with an entity, in accordance with an embodiment of the present invention;
[28] F ig. 3 illustrates an information flow diagram for revocation of the digital certificate associated with the entity, in accordance with an embodiment of the present invention; [29] F ig. 4 illustrates an information flow diagram for generating a further digital certificate for the identification data associated with the entity, in accordance with an embodiment of the present invention;
[30] F ig. 5 illustrates an information flow diagram for verifying an identity of the entity, in accordance with an embodiment of the present invention;
[31 ] F ig. 6 illustrates an information flow diagram for verifying the identity of the entity, in accordance with another embodiment of the present invention;
[32] F igs. 7A to 7C illustrate a computer implemented method for restore a revoked digital certificate for the identification data associated with the entity, in accordance with an embodiment of the present invention;
[33] F ig. 8 illustrates a computer implemented method for a method 800 for generating a digital certificate for identification data associated with an entity in accordance an embodiment of the present invention;
[34] F ig. 9 illustrates an example of the digital certificate in accordance with an embodiment of the present invention;
[35] F ig. 10 illustrates an example for determining a status identifier in accordance an embodiment of the present invention; and
[36] F ig. 1 1 illustrates an example status record in accordance an embodiment of the present invention.
Des cription of E mbodiments
[37] It should be noted in the following description that like or the same reference numerals in different embodiments denote the same or similar features.
[38] F igure 1 illustrates an exemplary environment 100 of computing devices to which various embodiments of the present invention may be implemented. As shown in figure 1 , the exemplary environment 100 comprises a computing device 102. In one embodiment, the first computing device 102 is a mobile device such as a cellular phone, a palmtop, a tablet computer, a P ersonal Digital Assistant (P DA). In various embodiments, the computing device 102 can be, for example, a laptop, a desktop or a tablet computer. The computing device 102 is used by an entity or a user.
[39] T he computing device 102 is connected to a communication network 104. In various embodiments, the communication network 104 is a Local Area Network (LAN) or a Wide Area Network (WAN). P referably, the communication network 104 is Internet. F urther connected to the communication network 104 is a registration authority module 106 associated with a registration authority. The registration authority may be a service provider that is responsible for the registration of an entity for a digital certificate by checking evidence of identification data provided by the entity for compliance with a respective applicable identity proofing policy in a jurisdiction. For example, a post office or a motor vehicle management department can be a registration authority. The registration authority may also be responsible for the secure distribution of digital certificates to subscribers. In the context of the specification, a digital certificate is an electronic document that contains identity information to identify an entity. The digital certificate may be issued from the registration authority.
[40] T he registration authority module 106 comprises a memory device 1 10 configured to store machine readable instructions, a bus 1 14 connected to the memory device 1 10, a communication interface 108 connected to the bus 1 14 and a processor 1 12 connected to the bus 1 14.
[41 ] F urther connected to the communication network 104 is a relying party module 1 16 associated with a relying party. T he relying party is a recipient of a digital certificate that acts in reliance of the digital certificate and/or a digital certificate verified using the digital certificate. An example of a relying party includes, but is not limited to, a liquor store, transport services, government service providers, commercial organisations, retail outlets, websites, etc.
[42] T he relying party module 1 1 6 comprises a memory device 120 configured to store machine readable instructions, a bus 124 connected to the memory device 120, a communication interface 1 18 connected to the bus 124 and a processor 122 connected to the bus 124. F urther, connected to the communication network 104 is a recipient device 126 associated with an individual. The recipient device 126 comprises a memory device 130 configured to store machine readable instructions, a bus 134 connected to the memory device 130, a communication interface 128 connected to the bus 134 and a processor 132 connected to the bus 134. In various embodiments of the invention, each one of the communication interfaces 108, 1 18 and 128 comprise one or more of an internet interface, an NFC interface, a BLE interface and an optical information reader.
[43] F urther connected to the communication network 104 is a verification module 136 associated with one or more verification services. The verification module 136 is shown in F igure 1 as a separate device (for example, a separate server) for description purposes, but the verification module 136 can also be a logical or physical part of another device, for example, the registration authority module 106. In one embodiment, the verification module 136 is a verification module stack comprising one or more of a document verification module 138 and a biometric feature verification module 140. F urther connected to the communication network 104 is a storage device 142. The storage device 142 is configured to maintain one or more datastores 144, 146, 148 and 1 50, which may be generated or used in the present invention. In various embodiments, the storage device 142 may be one of but not limited to, a local storage device or a cloud-based storage device. The computer system for generating a digital certificate for identification data associated with an entity can now be elucidated using the environment 100 as a reference.
[44] F igure 2 illustrates an information flow diagram for generating a digital certificate for identification data associated with an entity, in accordance with an embodiment 200 of the present invention. In various embodiments, the entity may be an individual, a business or an organization. The processor 1 12 of the registration authority module 106 obtains via the bus 1 14 the machine- readable instructions from the memory device 1 10, and is configured by the machine-readable instructions to receive, via the communication interface 108, the identification data associated with the entity. In one embodiment, the communication interface 108 is a user input interface. An entity associated with the computing device 102, for example, the user of the computing device 102, presents their identity documents to the registration authority, the staff working at the registration authority enters the identification data into the registration authority module 106 via the communication interface 108. In another embodiment, the communication interface 108 includes an optical information reader, for example, a Quick R esponse (QR) code reader or a bar coder reader, to read the identification data from the identity documents if the identity documents have a Q R code or a bar code printed thereon. T he optical information reader may also be a scanner to scan the identity documents of the user. In a further embodiment the communication interface 108 is an Internet connection interface. The user may provide a web link to their identification data, and the registration authority module 106 retrieves the identification data from the web link via the communication inte rface 108. In a further embodiment, the communication interface 108 includes a Near F ield C ommunication (NFC) interface or Bluetooth Low E nergy (B LE ) interface. The registration authority module 106 receives, via the NFC interface or (B LE ) interface, the identification data of the user from the computing device 102 of the user.
[45] In a further embodiment the communication interface 108 includes biometric feature reader to determine the biometric features of the user, which is also able to serve as at least part of the identification data of the user in the present disclosure. The biometric feature reader may include for example a facial image collector, a fingerprint collector, a microphone, a gesture sensor, etc. The biometric feature reader can be used to capture the real-time biometric features of the entity when the entity is presenting their identify documents.
[46] In various embodiments, the identification data comprises one or more attributes associated with the entity. T hese attributes characterise different aspects of the identification data of the entity, the attributes comprise one or more of the following:
a name;
a registered address; a date of birth;
a date of incorporation;
a digitised photograph;
a healthcare system identification;
a vehicle license registration number;
a passport number;
a tax file number;
a social security number;
a date of issue;
a biometric feature;
a social network identifier;
an email address;
a date of expiry;
a specification of rights;
a specification of restrictions;
a specification of security classifications;
an access key; and
a company registration number.
[47] T he attributes are provided from or contained in one or more of following sources:
a photo identification document;
a passport;
a driver s license;
a proof of residence;
a citizenship certificate;
a residency certificate;
a university certificate;
a company registration certificate;
a rates notice;
a biometric feature datastore;
a biometric feature collector;
a birth certificate;
a death certificate; a trust deed;
a certificate of compliance;
a certificate of qualification;
a certificate of authority;
a certificate of registration;
a certificate of ownership;
a certificate of authenticity; and
a marriage certificate
[48] F urther, the processor 1 12 is configured to transmit, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the entity. In one embodiment of the invention, the document verification module 138 is configured to verify one or more identity documents for verification of the identity of the entity. For example, the verification module 138 compares the identification data received from the registration authority module 106 with the identification data pre-stored in the verification module 138 to verify the identity of the entity.
[49] In one embodiment of the invention, the biometric feature verification module 140 is configured to verify the identity of the entity using one or more biometric features selected from a group comprising the following:
a fingerprint;
a face;
an iris;
a sclera;
a retina;
a gesture;
a gene information;
a deoxyribonucleic acid (DNA) information;
a signature;
hand or finger geometry; deep tissue illumination; and
voice [50] In a further embodiment, the communication interface 108 may include more than one types of communication interfaces, for example, a biometric feature reader, a NFC interface and an Internet communication interface. In this embodiment, the biometric feature reader is used by the processor 1 12 of the registration authority module 106 to capture real-time biometric features of the entity, for example, a real-time facial or fingerprint image of the user. The NFC interface is used by the processor 1 12 to receive the identification data from the computing device 102 of the user, which is stored in the computing device 102 of the user. Both the real-time biometric features captured by the biometric feature reader and the identification data received from the computing device 102 are sent from the registration authority module 106, via the Internet communication interface, to the verification module 136. T his way, the verification module 136 is able to verify if the user who is providing the identification data from their computing device 102 is the entity identified in the identification data. For example, if the real-time captured biometric features and the identification data received from the computing device 102 match the biometric features and identification data pre-stored in the verification module 136, it is determined that the user who is providing the identification data from their computing device 102 is the entity identified in the identification data.
[51 ] T he verification module 136 is configured to generate an indication indicating that the identification data is verified with respect to the entity. For example, the verification module 136 may generate an indication for one or more attributes of the identification data to indicate the particular attribute(s) is verified. F urther, the verification module 136 is configured to transmit the indication to the registration authority module 106. Further, the processor 1 12 is configured to receive the indication from the verification module 136. This way it is confirmed that the one or more documents and the one or more biometric features are valid and meet the necessary regulatory compliances. F urther, the processor 1 12 is configured to generate a digital certificate to indicate the verification of the identification data based on the indication. [52] In one embodiment of the invention, the processor 1 12 is further configured to generate the digital certificate with respect to the one or more of the attributes. For example, one digital certificate may be issued for the name of the entity, another digital certificate may be issued for the date of birth or the date of incorporation of the entity and yet another digital certificate may be issued for the address of the entity.
[53] F urther, the processor 1 12 is configured to send the digital certificate to the computing device 102 associated with the entity for the digital certificate to be stored on the computing device 102. The processor 1 12 is further configured to store the digital certificate in association with the identification data in the storage device 142. In that manner, it is envisaged that the identification data may be stored in an identification data datastore 144 and the digital certificate may be stored in the digital certificate datastore 146. F urther, in one embodiment of the invention, the processor 1 12 is further configured to generate an identifier associated with the digital certificate and store the identifier in the storage device 142 in association with the digital certificate. In that manner it is envisaged that, the identifier may be stored in an identifier datastore 148. F urther, it is envisaged that the identification data datastore 144, the digital certificate datastore 146 and the identifier datastore 148 are associated with each other therefor the digital certificate datastore 146 and the identification data datastore 144 can be queried using a unique identifier in the identifier datastore 148.
[54] T he above process is applicable to a scenario where a user or an entity intends to obtain a digital certificate for their driver s license. In this scenario, for example, the entity is an individual user, the registration authority is a postal service and the document verification service is a motor registry. To generate the digital certificate, the registration authority module 106 associated with the postal service receives the identification data of the user, which is recorded in the driver s license, via the Internet, or NFC or by scanning a QR code, as described above. The processor 1 12 of the registration authority module 106 transmits the identification data to the document verification module 138 associated with the motor registry and receives the indication from the document verification module 138 that the driver s licence is verified. The registration authority module 106 associated with the postal service then issues a digital certificate for attributes contained in the driver s license, such as the name of the user, the date of birth of the user and the address of the user. T he digital certificate and the attributes may be stored in an encrypted or unencrypted form on the computing device 102 of the user.
[55] T he above process is also applicable to a scenario where a user or an entity generates a digital certificate for their driver s license by themselves. In this scenario, the registration authority module 106 is a physical or logical part of the computing device 102 of the user.
[56] T he digital certificate thus generated may be used by the entity with a relying party (for example, a liquor store, transport services, government service providers, commercial organisations, retail outlets, websites, etc.) as a proof of identity. S ince the digital certificate is stored on the computing device 102, it is both secure and convenient to share the digital certificate with the relying entity, particularly, the device associated with the relying entity. However, it is possible that the computing device 102 is accessed by an unauthorized party and hence the digital certificate is stolen or compromised, the entity may request for revocation of the digital certificate. It is envisaged that before the request for revocation could be accepted, that entity may need to provide the identifier and/or answer certain security questions and/or provided certain exclusive information etc. to establish the identity of the entity. Once the identity of the entity has been established and verified a revocation request could be processed.
[57] F igure 3 illustrates an information flow diagram for revocation of the digital certificate associated with the entity, in accordance with a n embodiment 300 of the present invention. In one embodiment the processor 1 12 is further configured to receive a request for revocation of the digital certificate associated with the entity. Also, the processor 1 12 is further configured to store the identifier associated with the digital certificate in a revocation datastore 150 to indicate that the digital certificate associated with the entity is revoked. It is envisaged that the revocation datastore 150 is a publicly accessible datastore and any relying party can check if the digital certificate provided to the relying party, by the entity, has been revoked or not when the relying party is conducting a transaction with the entity. It is also desirable, that the entity may want an issue of a further digital certificate to restore the proof of identity of the entity.
[58] F igure 4 illustrates an information flow diagram for generating a further digital certificate for the identification data associated with the entity, in accordance with an embodiment 400 of the present invention. The processor 1 12 is further configured to receive, via the communication interface 108, the identification data associated with the entity. F urther, the processor 1 12 is further configured to transmit, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the entity. The verification module 136 in turn is configured to generate a further indication on verification of the identification data and transmit the further indication to the registration authority module 106. The processor 1 12 in turn is configured to receive from the verification module 136 the further indication indicating that the identification data is verified with respect to the entity.
[59] F urther, the processor 1 12 is configured to generate a further digital certificate to indicate the verification of the identification data based on the indication. Further, the processor 1 12 is configured to generate a further identifier associated with the further digital certificate and the identifier. Also, the processor 1 12 is configured to store the further identifier in association with the identifier in the revocation datastore 150 to indicate that the further digital certificate is not revoked. The further digital certificate obtained may be used to establish the identity of the entity with a relying party, such as a liquor store needing a proof of age of an individual or a highway toll service needing a proof of a valid driver s license of the individual.
[60] F igure 5 illustrates an information flow diagram for verifying an identity of the entity, in accordance with an embodiment 500 of the present invention. For verification of the identity of the entity, the processor 122 of the relying party module 1 1 6 obtains, via the bus 124, the machine-readable instructions from the memory device 120, is being configured by the machine-readable instructions to send, via the communication interface 1 18, a first request to the computing device 102 associated with the entity for a first digital certificate associated with the entity. It is to be noted here that the first digital certificate has been generated by the registration authority module 106 and sent to the computing device 102. In one embodiment of the invention, the processor 122 is further configured to send, via the communication interface 1 18, a second digital certificate associated with a further entity to the computing device 102 associated the entity for the computing device 102 to verify the second digital certificate associated with the further entity. In this scenario, the further entity refers to the relying party.
[61 ] F urther, the processor 122 is further configured to receive, via the communication interface 1 18, a second indication indicative of an outcome of the verification of the second digital certificate. T he verification of the second digital certificate is to ensure that the computing device 102 is sharing the identification data with a reliable entity. In that manner, it is envisaged that the computing device 102 may be configured to identify a digital signature provided by the registration authority module 106 in the second digital certificate. The outcome may be success " :denial" or :alarm~ :S uccess " may signify that the second digital certificate is verified, :deniaTmay signify that the second digital certificate is not verified and :alarm"may signify that the second digital certificate is fraudulent
[62] F urther, the processor 122 is configured to receive, via the communication interface 1 18, the first digital certificate from the computing device 102. T he receiving of the first digital certificate is to ensure that the entity associated with the computing device 102 is reliable and registered. F urther, the processor 122 is configured to verify the first digital certificate associated with the entity. F urther, the processor 122 is configured to generate a first indication indicative of an outcome of the verification of the first digital certificate. In that manner, it is envisaged that the processor 122 may be configured to identify a digital signature provided by the registration authority module 106 in the first digital certificate. The outcome may be success " idenial" or :alarm~ :S uccess " may signify that the first digital certificate is verified, :deniaT may signify that the first digital certificate is not verified and :alarnrf may signify that the first digital certificate is fraudulent Further, the processor 122 is configured to send the first indication to the computing device 102 associated with the entity.
[63] In one embodiment of the invention, the processor 122 is further configured to send, via the communication interface 1 18, a second request to the computing device 102 associated with the entity for access to the identification data associated with the entity. The second request may include a usage constraint As an example, the usage constraint includes an expiration time. S pecifically, the expiration time is a deadline by which the processor 122 is required to receive the identification data. F urther, the processor 122 is configured to receive, via the communication interface 1 18, the identification data associated with the entity within the usage constraint For example, the processor 122 is configured to receive the identification data associated with the entity from the computing device 102 before the expiration time. If the processor 122 fails to receive the identification data before the expiration time from the computing device 102, the transaction between the computing device 102 and the relying party module 1 1 6 will not proceed. The usage constraint can also include an indication indicative of for example how the identification data is disseminated or distributed, how the identification data is presented. For example, the usage constraint may require the identification data to be received from a US B drive, a remote datastore, or a Quick R esponse (QR) code or a bar code printed on a printable medium. It should be noted that even if the identification data is received outside the usage constraint for example, after the expiration time, the processor 122 is also able to choose to accept the identification data. F urther, such a matter of choice can also be part of the usage constraint. In one embodiment, the processor 122 needs to verify the identification data with the verification module 136. [64] In one embodiment of the invention, the processor 122 is further configured to verify the identification data associated with the entity by sending, via the communication interface, the identification data and to the verification module 136 for verification of the identification data and receiving from the verification module 136 the outcome of the verification of the identification data. The outcome may be success " :denial" or :alarm~ :S uccess " may signify that the identification data is verified for an attribute, idenial" may signify that identification data has not been verified for the attribute and :alarm" may signify that the identification data is fraudulent
[65] T he above process is applicable to a scenario where an entity for example, individual conducts a transaction with a relying party. For example, the entity is an individual user and the relying party is a road network management organization, which an organisation that maintains and manages road networks. The registration authority in this example may be a postal service. Both the individual user and road network management organisation have registered with the registration authority and have been issued respective digital certificates. The road network management organization may send a first request asking for individual s driver s license at a check point on one of the roads under management The first request may include the digital certificate of the road network management. F urther, the first request may be sent using the communication network 104, such as the internet. The individual verifies the digital certificate of road network management on the computing device 102 and sends the digital certificate of their driver s license to the relying party module 1 16 associated with the road network management. The relying party module 1 1 6 checks the revocation datastore 1 50 with respect to user s digital certificate in order to determine if the user s digital certificate is revoked. If the user s digital certificate is not revoked, the relying party module 1 1 6 associated with the road network management verifies the user s digital certificate. The relying party module 1 16 may also receive the user s identification data from the computing device 102 of the user, and then sends the user s identification data to the verification module 136 for verification. If the outcome of the verification module 136 is a success " the digital certificate of the user s driver license is verified. T his means this user is using a legitimate driver s license.
[66] It is also envisaged as one of the aspects of the invention, that an individual may be able to verity another individual for an attribute. In that manner, it is envisaged that the recipient device 126 associated with a recipient may be able to request digital certificate issued by a registration authority, from the entity associated with the computing device 102.
[67] F igure 6 illustrates an information flow diagram for verifying the identity of the entity, in accordance with another embodiment 600 of the present invention. The processor 132 obtains, via the bus 134, the machine-readable instructions from the memory device 130, and is configured by the machine- readable instructions to receive, via the communication interface 128, the digital certificate from the computing device 102 associated with the entity i.e., the sender. F urther, similar to the discussion above, using a digital signature of the registration authority module 106, the processor 132 is configured to verify the digital certificate associated with the sender. F urther, the processor 132 is configured to generate an indication indicative of an outcome of the verification of the first digital certificate. Here again the outcome may be success " :denial " or :alarm~ :S uccess " may signify that the digital certificate associated with the sender is accepted by the recipient. iDeniaT may signify that the digital certificate associated with the sender is not accepted by the recipient or the sender refuses to be verified. And :alarm"may signify that the digital certificate associated with the sender is fraudulent. Further, the processor 132 is configured to send the indication to the computing device 102 associated with the sender.
[68] F igure 7A to 7C illustrates a computer implemented method 700 for restoring a revoked digital certificate for the identification data associated with the entity, in accordance with an embodiment of the present invention. The method begins at step 710 when the processor 1 12 receives, via the communication interface 108, the identification data associated with the entity. At step 720, the processor 1 12 transmits, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the entity. At step 730, the processor 1 12 receives from the verification module an indication indicating that the identification data is verified with respect to the entity.
[69] At step 740, the processor 1 12 generates the digital certificate to indicate the verification of the identification data based on the indication. In one embodiment of the invention, generating the digital certificate comprises generating the digital certificate with respect to the one or more of the attributes. F urther, in one embodiment of the invention, generating the digital certificate comprises generating a pair of a public key and a private key and encrypting the digital certificate with the public key.
[70] At step 750, the processor 1 12 sends the digital certificate to the computing device 102 associated with the entity for the digital certificate to be stored on the computing device 102.
[71 ] T he processor 1 12 may further store the digital certificate in association with the identification data in the storage device 142. In one embodiment of the invention, storing the digital certificate in association with the identification data comprises storing the digital certificate, via the communication network 104, in association with the identification data in the storage device 142. In one embodiment of the invention, storing the digital certificate comprises storing the digital certificate in a cloud-based storage device.
[72] In one embodiment of the invention, the method 700 further comprises generating 752 the identifier associated with the digital certificate and storing 754 the identifier in the storage device 142 in association with the digital certificate. In one embodiment of the invention, the method 700 further comprises receiving 756 the request for revocation of the digital certificate associated with the entity and storing 758 the identifier associated with the digital certificate in the revocation datastore 150 to indicate that the digital certificate associated with the entity is revoked.
[73] In one embodiment of the invention, the method 700 further comprises receiving 760, via the communication interface 108, the identification data associated with the entity. F urther, the method 700 comprises transmitting 762, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the entity. F urther, the method 700 comprises receiving 764 from the verification module 136 the further indication indicating that the identification data is verified with respect to the entity. F urther, the method 700 comprises generating 766 the further digital certificate to indicate the verification of the identification data based on the indication. F urther, the method 700 comprises generating 768 the further identifier associated with the further digital certificate and the identifier. Also, the method 700 comprises storing 770 the further identifier in association with the identifier in the revocation datastore 150 to indicate that the further digital certificate is not revoked.
[74] F ig. 8 illustrates a method 800 for generating a digital certificate for identification data associated with an entity in accordance an embodiment of the present invention. T he method 800 is performed by the registration authority module 106, particularly, the processor 1 12 of the registration authority module 106.
[75] In an initialisation phase, the entity associated with the computing device 102, for example, the user of the computing device 102, stores their identification data on the computing device 102. For example, the user enters the identification data (for example, passport information including a name, nationality, a date of birth, gender, issuing authority, an expiration date, etc) into computing device 102 via a keyboard or touch screen of the computing device 102. In another embodiment the computing device 102 includes an optical information reader, for example, a Quick R esponse (Q R) code reader or a bar code reader, to read the identification data from the identity documents if the identity documents have a Q R code or a bar code printed thereon. T he optical information reader may also be a scanner to scan the identity documents of the user. In a further embodiment, the computing device 102 includes an Internet connection interface. The user may provide a web link to their identification data, and the computing device 102 retrieves the identification data from the web link. In a further embodiment, the computing device 102 includes a Near F ield C ommunication (NFC) interface or Bluetooth Low E nergy (BLE ) interface. The computing device 102 receives, via the NFC interface or (B LE ) interface, the identification data of the user from a data source.
[76] F urther, the computing device 102 generates a pair of signing key for signature including a public signing key and a private signing key using a key generation algorithm, for example, E lliptic-curve cryptography (E C C), R ivest" S hamir'Adleman (RSA), etc. Also, the computing device 102 generates a pair of encryption key for encryption including a public encryption key and a private encryption key. S imilarly, the registration authority module 106 generates a pair of signing key for signature including a public signing key and a private signing key using a key generation algorithm, for example, E lliptic-curve cryptography (E C C), R ivest"S hamir"Adleman (RSA), etc. Also, registration authority module 106 generates a pair of encryption key for encryption including a public encryption key and a private encryption key.
[77] To enhance security, the computing device 102 and the registration authority module 106 conduct a handshake process following initialisation to confirm each other s identity. As a result the public signing key and the public encryption of the computer device 102 are sent to the registration authority module 106, and the public signing key and the public encryption key of the registration module 106 are sent to the computing device 102.
[78] T he computing device 102 generates a certification request to generate the digital certificate for identification data associated with the user of the computing device 102. The certification request includes the identification data and a certification request identifier to identify the certification request An example of the identification data includes a name (F irst name: J ohn, Last name: S mith), nationality (Australia), a date of birth (27 J uly 1964), gender (Male), Identification Type (Passport), issuing authority (Australian Passport Office). An example of the certification request identifier is 10123456. The computing device 102 sends the certification request to the registration authority module 106. [79] At step 810, the processor 1 12 of the registration authority module 106 receives, via the communication interface 108, the certification request including the identification data and the certification request identifier.
[80] At step 820, the processor 1 12 of the registration authority module 106 extracts the identification data from the certification request and transmits, via the communication interface 108, the identification data to the verification module 136 for verification of the identification data with respect to the user. As the registration authority module 136 may interact with multiple verification modules to verify different types of identification data, for example, Australian Passport Office, Australian Tax Office, etc. E ach of the verification modules is identified by a verification module identifier (for example, CA-IA-PAS S P ORT OF FIC E for the verification module 136) within the registration authority module 106 for the registration authority module 106 to identify the verification module. The verification module 136 in this example is a server of the authority that issues the passport for the user identified by the identification data, i.e., J ohn S mith. T he verification module 136 verifies the identification data and returns a verification response to the registration authority module 106. The verification response includes an indication indicating that the identification data is verified with respect to the user (for example, a Boolean Value: T R U E ) and a transaction identifier (for example, IA-Passport-123456) identifying the identification data that has been verified. The transaction identifier is used in future communication with the verification module 136 in relation to the identification data and status of the identification data.
[81 ] T he verification module 136 sends the verification response to the registration authority module 106 and the processor 1 12 of the registration authority module 106 receives 830 the indication and the transaction identifier.
[82] At step 840, the processor 1 12 of the registration authority module 106 determines a status identifier based on hash values of the verification module identifier, the transaction identifier and the certification request identifier. The status identifier is used to determine if the digital certificate is revoked or not. Particularly, the hash values used in method 800 ensure that any changes to the verification module identifier, the transaction identifier and the certification request identifier will lead to an invalid status identifier. This way, the status of the digital certificate can be determined, as described in detail below.
[83] At step 850, the processor 1 12 of the registration authority module 106 generates the digital certificate. T he digital certificate includes the identification data, the indication and the status identifier. An example 900 of the digital certificate is shown in F ig. 9.
[84] At step 860, the processor 1 12 of the registration authority module 106 sends the digital certificate 900 to the computing device 102 associated with the user for the digital certificate 900 to be stored on the computing device 102. T his way, the user is able to use the digital certificate 900 to conduct transactions with the relying party module 1 16.
[85] F ig. 10 illustrates an example 1000 for determining the status identifier based on the hash values of of the verification module identifier (i.e., CA-IA- PAS S PORT OF FIC E ), the transaction identifier (i.e., IA-Passport-123456) and the certification request identifier (i.e., 10123456). In the example 1000, the status identifier is generated based on a Merkel Tree. As shown in F ig. 10, the verification module identifier (denoted by a J, the transaction identifier (denoted by "b J and the certification request identifier (denoted by "d J are the inputs of the Merkel Tree. The processor 1 12 of the registration authority module 106 applies a hash operation to the verification module identifier to determine a first hash value (i.e., c44b8874, denoted by "A J. The processor 1 12 of the registration authority module 106 applies the hash operation to the transaction identifier to determine a second hash value (i.e., 14faaad9, denoted by "B J. T he processor 1 12 of the registration authority module 106 applies the hash operation to a combination (i.e., c44b887414faaad9) of the first hash value and the second hash value to determine a third hash value (i.e., e4ed87d6, denoted by "C J. The processor 1 12 of the registration authority module 106 applies the hash operation to the certification request identifier to determine a fourth hash value (i.e., 590371 fd, denoted by "D J. The processor 1 12 of the registration authority module 106 applies the hash operation to a combination (i.e., e4ed87d6590371 fd) of the third hash value and the fourth hash value to determine a fifth hash value (i.e., 9a1 fd371 , denoted by "R OOT J. The fifth hash value is the hash value of the root node of the Merkel T ree in F ig. 10. The fifth hash value is determined to be the status identifier in example 1000. Although the hash operation used in the example is C R C 32, other hash operations can also be used without departing from the scope of the invention, for example, C R C-1 6, MD2, MD4, MD5, S HA-256, etc. For description purposes, the third hash value is referred to as IA-Hash-UUID, and the fourth hash value is referred to as IO-Hash-UUID.
[86] T he processor 1 12 of the registration authority module 106 further generates a status record. The status record includes a "Status Identifier, field to contain the status identifier associated with the digital certificate, an "IA-Hash-UUID _ field to contain the IA-Hash-UUID in the Merkel Tree, an TO-Hash-UUID _ field to contain the IO-Hash-UUID in the Merkel Tree. An example status record 1 100 is shown in F ig. 1 1. The processor 1 12 of the registration authority module 106 stores the status record in a status datastore, for example, the revocation datastore 150.
[87] In order to revoke the digital certificate 900, the computing device 102 extracts the status identifier from the digital certificate 900 stored thereon. As shown in F ig. 9, the status identifier associated with the digital certificate 900 is 9a1 fd371. The computing device 102 generates a revocation request including the certification request identifier (i.e., 10123456) and the status identifier, and sends the revocation request to the registration authority module 106. The processor 1 12 of the registration authority module 106 receives the revocation request to revoke the digital certificate associated with the user and extracts the status identifier (i.e., 9a1 fd371 ) and the certification request identifier from the revocation request. The processor 1 12 of the registration authority module 106 searches the status datastore and identifies the status record 1 100 in the status datastore by the status identifier.
[88] T he processor 1 12 of the registration authority module 106 applies the hash operation (for example, C R C32) to the certification request identifier (i.e., 10123456) to determine a hash value of the certification request identifier. The hash value determined is 590371 fd. The hash value of the certification request identifier is equal to the hash value in the TO-Hash-UUID _ field of the status record 1 100, this means the digital certificate 900 has not been revoked, then the processor 1 12 of the registration authority module 106 replaces the hash value in the TO-Hash-UUID _ field of the status record 1 100 with a NU LL value to indicate that the digital certificate 900 is revoked.
[89] Other the other hand, in order to restore the revoked digital certificate 900, the computing device 102 generates a restoration request including the certification request identifier (i.e., 10123456) and the status identifier (i.e., 9a1 fd371 ), and sends the restoration request to the registration authority module 106. The processor 1 12 of the registration authority module 106 receives the restoration request and extracts the status identifier (i.e., 9a1 fd371 ) and the certification request identifier (i.e., 10123456) from the restoration request. The processor 1 12 of the registration authority module 106 searches the status datastore and identifies the status record 1 100 in the status datastore by the status identifier.
[90] The processor 1 12 of the registration authority module 106 applies the hash operation (for example, C R C32) to the certification request identifier (i.e., 10123456) to determine a hash value of the certification request identifier. T he hash value determined is 590371 fd. As the digital certificate 900 has been revoke, the hash value in the TO-Hash-UUID _ field of the status record 1 100 is a NULL value, then the processor 1 12 of the registration authority module 106 replaces the NU LL value in the TO-Hash-U UID _ field of the status record 1 100 with the hash value (i.e., 590371 fd) of the certification request identifier to indicate that the revoked digital certificate 900 is restored.
[91 ] In other example, the revocation can be initiated by the verification module 136. The verification module 136 generates a revocation request to revoke the digital certificate 900 associated with the user. The revocation request includes the transaction identifier (i.e., IA-Passport-123456). T he verification module 136 sends the revocation request to the registration authority module 106. T he processor 1 12 of the registration authority module 106 receives the revocation request and exacts the transaction identifier (i.e., IA-Passport- 123456) from the revocation request. [92] T he processor 1 12 of the registration authority module 106 applies the hash operation to the verification module identifier (i.e., CA-IA-PAS S PO RT OF FIC E ) to determine the first hash value (i.e. c44b8874). The processor 1 12 of the registration authority module 106 further applies the hash operation to the transaction identifier (i.e., IA-Passport-123456) to determine the second hash value (i.e. 14faaad9).
[93] T he processor 1 12 of the registration authority module 106 applies the hash operation to the combination (i.e., c44b887414faaad9) of the first hash value and the second hash value to determine the third hash value (i.e., e4ed87d6). The processor 1 12 of the registration authority module 106 searches the ΊΑ- Hash-UUID _ field in the status datastore by the third hash value and identifies the data record 1 100 in the status datastore. The processor 1 12 of the registration authority module 106 replaces the third hash value (i.e., e4ed87d6) in the 'II mLt /iZI- I5 *bt½ IX. the status record 1 100 with a NU LL value to indicate that the digital certificate 900 is revoked.
[94] As describe above, the user is able to use the digital certificate 900 to conduct transactions with the relying party module 1 1 6. The digital certificate 900 with the status identifier (i.e., 9a1 fd371 ) is sent by the user from the computing device 102 to the relying party module 1 1 6. P rior to conducting transactions with the user, the relying party module 1 16 needs to verify that the digital certificate 900 is not revoked. T he relying party module 1 16 generates a status enquiry request to check if the digital certificate 900 associated with the used is revoked or not. The status enquiry request includes the status identifier. The relying party module 1 1 6 sends the status enquiry request to the registration authority module 102. The processor 1 12 of the registration authority module 106 receives the status enquiry request and extracts the status identifier (i.e., 9a1 fd371 ) from the status enquiry request.
[95] T he processor 1 12 of the registration authority module 106 searches "S tatus Identifier, field of the status datastore by the status identifier (i.e., 9a1 fd371 ) and identifies the status record 1 100 in the status datastore. The processor 1 12 of the registration authority module 106 extracts a hash value (i.e., e4ed87d6) from the TA-Hash-UUID _ field of the status record 1 100 and another hash value (i.e. 590371 fd) from the TO-Hash-UUID _ field of the status record 1 100. The processor 1 12 of the registration authority module 106 constructs a combination (i.e., e4ed87d6590371 fd) of the two hash values and applies the hash operation to the combination to determine a hash value (i.e., 9a1 fd371 ). In this example, the hash value determined is equal to the status identifier associated with the digital certificate 900, it is determined that the digital certificate 900 is not revoked. As a result, the processor 1 12 of the registration authority module 106 generates a first message indicating that the digital certificate 900 is not revoked and sends the first message to the relying party module 1 1 6. Upon receipt of the first message at the relying party module 1 16, the relying party module 1 16 proceed with transactions with the user using the digital certificate 900.
[96] If the digital certificate 900 is revoked by the user or the verification module 136, one of the hash value from the TA-Hash-UUID _ field and the hash value from the TO-Hash-UUID _ field of the status record 1 100 is a NULL value. As a result, the hash value of the combination of the two hash values is not equal to the status identifier (i.e., 9a1 fd371 ) and it is determined that the digital certificate 900 is revoked. Therefore, the processor 1 12 of the registration authority module 106 generates a second message indicating that the digital certificate 900 has been revoked and sends the second message to the relying party module 1 16. Upon receipt of the second message at the relying party module 1 1 6, the relying party module 1 16 rejects transactions with the user using the digital certificate 900.
[97] T he method steps as described above may be implemented as computer program code instructions executable by the respective processors of the registration authority module 106, the relying party module 1 16, and the recipient device 126. The computer program code instructions may be divided into one or more computer program code instruction libraries, such as dynamic link libraries (DLL), wherein each of the libraries performs one or more steps of the method. Additionally, a subset of the one or more of the libraries may perform graphical user interface tasks relating to the steps of the method. [98] T hroughout this specification, unless the context requires otherwise, the words comprise., comprises , and comprising, will be understood to imply the inclusion of a stated step or element or group of steps or elements but not the exclusion of any other step or element or group of steps or elements.
[99] In the context of this document the term "bus . and its derivatives, while being described in an embodiment as being a communication bus subsystem for interconnecting various devices including by way of parallel connectivity such as Industry S tandard Architecture (ISA), conventional P eripheral C omponent Interconnect (PCI) and the like or serial connectivity such as P CI E xpress (PCIe), S erial Advanced Technology Attachment (S erial ATA) and the like, should be construed broadly herein as any system for communicating data.
[100] As described herein, :a computer implemented method " should not necessarily be inferred as being performed by a single computing device such that the steps of the method may be performed by more than one cooperating computing devices.
[101] S imilarly objects as used herein such as :web server" server" iclient computing device " xomputer readable medium" and the like should not necessarily be construed as being a single object, and may be implemented as a two or more objects in cooperation, such as, for example, a web server being construed as two or more web servers in a server farm cooperating to achieve a desired goal or a computer readable medium being distributed in a composite manner, such as program code being provided on a compact disk activatable by a license key downloadable from a computer network.
[102] In this document, the term that refer to a "module _, for example, "registration authority module., "verification module ., or "relying party module., is described as a physical and separate device (for example, a separate server), but the term can also represent a logical or physical part of another device.
[103] In the context of this document, the term "datastore. and its derivatives may be used to describe a single datastore, a set of datastores, a system of datastores or the like. The system of datastores may comprise a set of databases wherein the set of databases may be stored on a single implementation or span across multiple implementations. The term "database, is also not limited to refer to a certain database format rather may refer to any database format For example, database formats may include MyS QL, MyS QLi , X ML or the like.
[104] The term processor, may refer to any device or portion of a device that processes electronic data, e.g., from registers and/or memory to transform that electronic data into other electronic data that, e.g., may be stored in registers and/or memory. A computer, or a computing device, or a computing machine, or a computing platform, may include one or more processors.
[105] The methodologies described herein are, in one embodiment, performable by one or more processors that accept computer-readable (also called machine-readable) code containing a set of instructions that when executed by one or more of the processors carry out at least one of the methods described herein. Any processor capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken are included. Thus, one example is a typical processing system that includes one or more processors. The processing system further may include a memory subsystem including main RAM and/or a static RAM, and/or RO M.
[106] Thus, while there has been described what are believed to be the embodiments of the invention, those skilled in the art will recognize that other and further modifications may be made thereto without departing from the spirit of the invention, and it is intended to claim all such changes and modifications as fall within the scope of the invention. F unctionality may be added or deleted from the block diagrams and operations may be interchanged among functional blocks. S teps may be added or deleted to methods described within the scope of the present invention. [107] Although the invention has been described with reference to specific examples, it will be appreciated by those skilled in the art that the invention may be embodied in many other forms.
Industrial Applicability
[108] It is apparent from the above, that the embodiments described are applicable to digital identity management and other applicable industries.

Claims

C laims The claims defining the invention are as follows:
1 . A computer implemented method for restoring a revoked digital certificate for identification data associated with an entity, the method comprising: receiving, via a communication interface, the identification data associated with the entity;
transmitting, via the communication interface, the identification data to a verification module for verification of the identification data with respect to the entity;
receiving from the verification module an indication indicating that the identification data is verified with respect to the entity;
generating a digital certificate to indicate the verification of the identification data based on the indication;
generating an identifier associated with the digital certificate; and storing the identifier in a storage device in association with the digital certificate;
receiving a request for revocation of the digital certificate associated with the entity;
storing the identifier associated with the digital certificate in a revocation datastore to indicate that the digital certificate associated with the entity is revoked;
receiving, via the communication interface, the identification data associated with the entity;
transmitting, via the communication interface, the identification data to the verification module for verification of the identification data with respect to the entity;
receiving from the verification module a further indication indicating that the identification data is verified with respect to the entity;
generating a further digital certificate to indicate the verification of the identification data based on the indication; generating a further identifier associated with the further digital certificate and the identifier; and
storing the further identifier in association with the identifier in the revocation datastore to indicate that the further digital certificate is not revoked.
2. A computer implemented method for generating a digital certificate for identification data associated with an entity, the method comprising:
receiving, via a communication interface, a certification request to generate the digital certificate for the identification data, the certification request including the identification data and a certification request identifier to identify the certification request;
transmitting, via the communication interface, the identification data to a verification module for verification of the identification data with respect to the entity, the verification module being identified by a verification module identifier;
receiving from the verification module an indication indicating that the identification data is verified with respect to the entity and a transaction identifier identifying the identification data;
determining a status identifier based on hash values of the verification module identifier, the transaction identifier and the certification request identifier;
generating the digital certificate including the identification data, the indication and the status identifier; and
sending the digital certificate to a computing device associated with the entity for the digital certificate to be stored on the computing device.
3. The computer implemented method of claim 2, wherein generating the status identifier comprises:
applying a hash operation to the verification module identifier to determine a first hash value;
applying the hash operation to the transaction identifier to determine a second hash value; applying the hash operation to a combination of the first hash value and the second hash value to determine a third hash value;
applying the hash operation to the certification request identifier to determine a fourth hash value; and
applying the hash operation to a combination of the third hash value and the fourth hash value to determine a fifth hash value as the status identifier.
4. The computer implemented method of claim 3, further comprising:
generating a status record including the status identifier, the third hash value, and the fourth hash value ; and
storing the status record in a status datastore.
5. The computer implemented method of claim 4, further comprising:
receiving a revocation request to revoke the digital certificate associated with the entity; the revocation request including the certification request identifier and the status identifier;
identifying the status record in the status datastore by the status identifier;
applying the hash operation to the certification request identifier to determine a hash value of the certification request identifier;
if the hash value of the certification request identifier is equal to the fourth hash value in the status record, replacing the fourth hash value in the status record with a NU LL value to indicate that the digital certificate is revoked.
6. The computer implemented method of claim 5, further comprising:
receiving a restoration request to restore the revoked digital certificate associated with the entity; the restoration request including the certification request identifier and the status identifier;
identifying the status record in the status datastore by the status identifier;
applying the hash operation to the certification request identifier to determine the fourth hash value; replacing the NU LL value in the status record with the fourth hash value to indicate that the revoked digital certificate is restored.
7. The computer implemented method of claim 4, further comprising:
receiving a revocation request to revoke the digital certificate associated with the entity; the revocation request including the transaction identifier;
applying the hash operation to the verification module identifier to determine the first hash value;
applying the hash operation to the transaction identifier to determine the second hash value;
applying the hash operation to the combination of the first hash value and the second hash value to determine the third hash value;
identifying the status record in the status datastore by the third hash value;
replacing the third hash value in the status record with a NU LL value to indicate that the digital certificate is revoked.
8. The computer implemented method of claim 4, further comprising:
receiving a status enquiry request to check if the digital certificate associated with the entity is revoked or ηοζ the status enquiry request including the status identifier;
identifying the status record in the status datastore by the status identifier;
determining the other two hash values in the status record;
applying the hash operation to a combination of the other two hash values in the status record to determine a hash value;
if the status identifier is equal to the hash value, generating a first message indicating that the digital certificate is not revoked; and
if the status identifier is not equal to the hash value, generating a second message indicating that the digital certificate is revoked.
9. The computer implemented method as claimed in claim 2, the method further comprising storing the digital certificate in association with the identification data in a storage device.
10. The computer implemented method as claimed in claim 2, wherein the identification data comprises one or more of the following attributes associated with the entity:
a name;
a registered address;
a date of birth;
a date of incorporation;
a digitised photograph;
a healthcare system identification;
a vehicle license registration number;
a passport number;
a tax file number;
a social security number;
a date of issue;
a biometric feature;
a social network identifier;
an email address;
a date of expiry;
a specification of rights;
a specification of restrictions;
a specification of security classifications;
an access key; and
a company registration number.
1 1. The computer implemented method as claimed in claim 10, wherein generating the digital certificate comprises generating the digital certificate with respect to one or more of the attributes.
12. The computer implemented method as claimed in claim 1 1 , wherein the attributes are provided from one or more of following sources: a photo identification document;
a passport;
a driver s license;
a proof of residence;
a citizenship certificate;
a residency certificate;
a university certificate;
a company registration certificate;
a rates notice;
a biometric feature datastore;
a biometric feature collector;
a birth certificate;
a death certificate;
a trust deed;
a certificate of compliance;
a certificate of qualification;
a certificate of authority;
a certificate of registration;
a certificate of ownership;
a certificate of authenticity; and
a marriage certificate.
13. The computer implemented method as claimed in claim 10, wherein the biometric feature represents one or more of following features associated with the entity:
a fingerprint;
a face;
an iris;
a sclera;
a retina;
a gesture;
a gene information;
a deoxyribonucleic acid (DNA) information;
a signature; hand or finger geometry;
deep tissue illumination; and
voice.
14. The computer implemented method as claimed in claim 9, wherein storing the digital certificate comprises storing the digital certificate in a cloud- based storage device.
1 5. The computer implemented method as claimed in claim 2, wherein the communication interface comprises one or more of the following:
an Internet connection interface;
a Near F ield C ommunication (NFC) interface;
a Bluetooth Low E nergy (B LE ) interface; and
an optical information reader.
1 6. A computer system for generating a digital certificate for identification data associated with an entity, the computer system comprising:
a memory device configured to store machine-readable instructions; a bus connected to the memory device;
a communication interface connected to the bus; and
a processor connected to the bus, the processor obtaining via the bus the machine-readable instructions from the memory device, and being configured by the machine-readable instructions to:
receive, via the communication interface, a certification request to generate the digital certificate for the identification data, the certification request including the identification data and a certification request identifier to identify the certification request;
transmit via the communication interface, the identification data to a verification module for verification of the identification data with respect to the entity, the verification module being identified by a verification module identifier;
receive from the verification module an indication indicating that the identification data is verified with respect to the entity and a transaction identifier identifying the identification data; determine a status identifier based on hash values of the verification module identifier, the transaction identifier and the certification request identifier;
generate the digital certificate including the identification data and the status identifier; and
send the digital certificate to a computing device associated with the entity for the digital certificate to be stored on the computing device.
17. A computer software program, including machine-readable instructions, when executed by a processor, causing the processor to perform the method of any one of the preceding method claims.
PCT/AU2018/050175 2017-02-27 2018-02-27 A computer system and a computer implemented method for generating a digital certificate for identification data associated with an entity WO2018152597A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2017900661 2017-02-27
AU2017900661A AU2017900661A0 (en) 2017-02-27 A computer system and a computer implemented method for generating a digital certificate for identification data associated with an entity

Publications (1)

Publication Number Publication Date
WO2018152597A1 true WO2018152597A1 (en) 2018-08-30

Family

ID=63253499

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2018/050175 WO2018152597A1 (en) 2017-02-27 2018-02-27 A computer system and a computer implemented method for generating a digital certificate for identification data associated with an entity

Country Status (1)

Country Link
WO (1) WO2018152597A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200334430A1 (en) * 2014-05-28 2020-10-22 Mitek Systems, Inc. Self-sovereign identity systems and methods for identification documents
CN113767382A (en) * 2019-05-23 2021-12-07 万事达卡国际公司 Method and system for universal sourcing solution for blockchain supply chain applications
US12026670B2 (en) 2014-05-28 2024-07-02 Mitek Systems, Inc. Systems and methods for aligning documents with near field communication devices
US12026577B2 (en) 2014-05-28 2024-07-02 Mitek Systems, Inc. Systems and methods of user identification verification

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5754659A (en) * 1995-12-22 1998-05-19 General Instrument Corporation Of Delaware Generation of cryptographic signatures using hash keys
US6321339B1 (en) * 1998-05-21 2001-11-20 Equifax Inc. System and method for authentication of network users and issuing a digital certificate
US20020073310A1 (en) * 2000-12-11 2002-06-13 Ibm Corporation Method and system for a secure binding of a revoked X.509 certificate to its corresponding certificate revocation list
US20050114666A1 (en) * 1999-08-06 2005-05-26 Sudia Frank W. Blocked tree authorization and status systems
US8806196B2 (en) * 2011-11-04 2014-08-12 Motorola Solutions, Inc. Method and apparatus for authenticating a digital certificate status and authorization credentials

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5754659A (en) * 1995-12-22 1998-05-19 General Instrument Corporation Of Delaware Generation of cryptographic signatures using hash keys
US6321339B1 (en) * 1998-05-21 2001-11-20 Equifax Inc. System and method for authentication of network users and issuing a digital certificate
US20050114666A1 (en) * 1999-08-06 2005-05-26 Sudia Frank W. Blocked tree authorization and status systems
US20020073310A1 (en) * 2000-12-11 2002-06-13 Ibm Corporation Method and system for a secure binding of a revoked X.509 certificate to its corresponding certificate revocation list
US8806196B2 (en) * 2011-11-04 2014-08-12 Motorola Solutions, Inc. Method and apparatus for authenticating a digital certificate status and authorization credentials

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200334430A1 (en) * 2014-05-28 2020-10-22 Mitek Systems, Inc. Self-sovereign identity systems and methods for identification documents
US12026670B2 (en) 2014-05-28 2024-07-02 Mitek Systems, Inc. Systems and methods for aligning documents with near field communication devices
US12026577B2 (en) 2014-05-28 2024-07-02 Mitek Systems, Inc. Systems and methods of user identification verification
CN113767382A (en) * 2019-05-23 2021-12-07 万事达卡国际公司 Method and system for universal sourcing solution for blockchain supply chain applications

Similar Documents

Publication Publication Date Title
CN111859348B (en) Identity authentication method and device based on user identification module and block chain technology
US10972274B2 (en) Trusted identity solution using blockchain
CN110675144B (en) Enhancing non-repudiation of blockchain transactions
US11997205B2 (en) Credential verification and issuance through credential service providers
US10742424B2 (en) Trusted identity solution using blockchain
US11531661B2 (en) Vehicle incident documentation for blockchain
JP2019160312A (en) Blockchain node, method of blockchain node, and computer program for blockchain node
JP2021519531A (en) Document access to the blockchain network
EP3073670B1 (en) A system and a method for personal identification and verification
US20190333029A1 (en) System, method, and computer program product for validating blockchain or distributed ledger transactions in a service requiring payment
US11218305B2 (en) Blockchain authorization information generation
US11595384B2 (en) Digital identity network interface system
WO2018152597A1 (en) A computer system and a computer implemented method for generating a digital certificate for identification data associated with an entity
US11949689B2 (en) Unified authentication system for decentralized identity platforms
CN111881483B (en) Resource account binding method, device, equipment and medium based on blockchain
US20150302386A1 (en) Methods and systems for facilitating document banking on mobile devices
CN112446050B (en) Business data processing method and device applied to block chain system
US11310052B1 (en) Identity authentication blockchain
CN117280346A (en) Method and apparatus for generating, providing and forwarding trusted electronic data sets or certificates based on electronic files associated with a user
CN112785410A (en) Relying party risk adjustment indicator systems and methods
CN115022039B (en) Information processing method, apparatus, device and storage medium
CN109658104B (en) System and method for confirming asset consistency on chain
AU2021106384A4 (en) A method and sysetm for improving the security and privacy of healthcare records using a proposed blockchain-based distributed application
CN109658100B (en) System and method for determining downlink digital assets
US20240330948A1 (en) Methods and systems that register a digital medium and verify a registration of a digital medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18758370

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18758370

Country of ref document: EP

Kind code of ref document: A1