Method, system and service for conducting authenticated business transactions6957199Abstract The invention pertains to a method, online service, and system, for creating partnerships based on trust relationships over a public network, authenticating trade partners, infrastructure providers and collaborators to each other, and providing users with an environment suitable for conducting transactions requiring a high level of trust. A service according to the invention is a persistent authentication and mediation service (PAMS) which is provided as an on-line service. One embodiment is a method for conducting authenticated business transactions involving microprocessor equipped devices over the Internet comprising:
Claims 1. A method for conducting authenticated business transactions involving communications using microprocessor equipped devices to communicate over a distributed network, the method being carried out by an on-line authentication service available on the distributed network, comprising the acts of: Description BACKGROUND OF THE INVENTION The method embodied by the persistent authentication and mediation service provides the major elements of trust required for conducting trade over a network such as the Internet, wherein trust in the service is substituted for trust in the other party, including: Authentication provided by the PAMS differs from prior art methods which provide for a population of otherwise unrelated members to authenticate to each other. Authentication by the PAMS is a two step process involving first authenticating the users to the PAMS and then connecting authenticated users to each other under persistent mediation of the PAMS. Authentication of a large and disparate group of users to a single authenticating entity to whom they are known, can be done with a much higher level of confidence and trust than direct authentication of the many users to each other. A PAMS according to the invention, provides a way to provide the security possible in the many-to-one authentication while achieving the end results of many-to-many authentication. In the two step authentication process, users maintain the high level of confidence that they have in authentication to the PAMS when they are connected to each other under mediation of the PAMS, based on their trust in the PAMS. Thus the PAMS provides the high level of confidence which is associated with authentication to a single authenticating entity, to the situation where many users need to authenticate to each other. The PAMS provides symmetric authentication of users to each other, as opposed to one way authentication of a user to a service or server. The PAMS provides for authentication of multiple parties to each other. Since all interactions between users is mediated by the PAMS, interactions may be anonymous while still being authenticated. Anonymous transactions are conducted by referencing the identity rather than revealing it. Verified information about authenticated users can be exchanged without revealing the actual identity of the users to each other. The combination of authentication with mediation allows for user management of privacy and negotiation between parties on what will be revealed. This latter feature is important for the early stages of establishing a trusted relationship. A mediated interaction has an audit trail which is maintained under the control of the PAMS, but is available to the users. An important feature of an interaction under the PAMS is that users, including users of different types, interact under circumstances where after their identity is authenticated by the PAMS and they are connected to other users under mediation of the PAMS, the interaction continues to be mediated by the PAMS during the interaction, so that an audit trail is accumulated. The audit trail is available to the users during the interaction. Another key feature is that groups of three or more users may interact. The mediated environment is a key part of establishing trust in the identity of the parties during the authentication process and is the basis for monitoring and enforcing trust during and after the transaction. Since all transactions utilizing the PAMS are mediated and monitored at an application level, it is possible to accumulate an independent rating of users based on performance as monitored by the service. For instance, number of relationships a user or business has, number of deals conducted, dollar value of deals, reliability in responding to requests, response time to responding to requests, etc. This information could be used in by a business to monitor performance of employees or by an authentication insurance provider to rate the risk associated with insuring transactions of a particular business or user or by a member in deciding whether to form a trusted relationship with another member. A preferred implementation of the invention utilizes two new classes of network software which are particularly and synergistically suited for providing the PAMS. A preferred implementation comprises a host site connected to the network, the host site including at least one computer server operated by an open software platform providing intelligent interactions, a persistent authentication and mediation service comprising a strong software pseudo PKI authentication agent operating on the open software platform, an audit agent operating on the open software platform for compiling an audit trail of mediated interactions and application software operating on the open software platform with functionality for enrolling users, authenticating enrolled users, allowing authenticated users to dynamically find suitable partners according to criteria which they specify, allowing authenticated partners to interact under the mediation of the persistent authentication and mediation service through the open software platform, and allowing members access to the audit trail at the application level, including access to the content of the interaction. The authentication system further comprises a customer database server comprising a database of information about the registered businesses, the database being accessible to the persistent authentication and mediation service. In the context of this application, an open software platform refers to a platform where users and enabled services operating under the platform can interact regardless of their hardware or operating systems, system management strategies, development environments or device capabilities. Intelligent interaction refers to the ability of enabled services to discover, negotiate, mediate, and compose themselves into more complicated services. A preferred open software platform is Hewlett Packard's e-Speak, currently available as version 3.01. The e-Speak platform is implemented by an e-Speak core program which operates on a user's computer or server. In e-Speak, enabled services are referred to as e-Services. The ability to discover refers to the fact that when an e-service registers with a host system accessible to the Internet and creates a description of the service it provides, users of the system can automatically discover services which have desired attributes, and contact them without needing to have known about the service in advance or knowing its URL. To negotiate refers to the fact that e-Speak negotiates between the requester and provider to eliminate services which are outside of the requested criteria. To mediate refers to the fact that users are connected through the e-Speak core and e-speak continuously intermediates the service delivery after the user and e-service have been connected. The mediation is persistent in that an asynchronous message transfer system is provided to retain messages until delivered. While E-Speak mediates all interactions, it does not create a permanent audit trail by saving the interactions after delivery. The audit function of PAMS is an application running on e-Speak called the audit agent. An audit trail may include the content of an interaction. The audit agent intercepts specified events or messages during mediation based on application level monitoring, and stores them in a database. To compose refers to the ability of e-services to combine themselves into more complex, cascading e-services even dynamically. E-Speak is in essence an "operating system" for building e-services operating on the platform. An open software source is provided to build business applications. The e-Speak platform does not provide for sufficient security since there is no way provided to protect the user private keys. Also e-Speak is intended for services to interact and transact without being centrally managed or provided. Central to the original intent of e-Speak, is that a service which is registered according to a known vocabulary, is instantly discoverable to another party through the dynamic discovery feature. A persistent authentication and mediation service according to the invention, requires all users to register with the PAMS to become part of a closed community. The PAMS is antithetical to the original intent of the open software platform and uses it in a fundamentally different manner than intended. A preferred technology for software protected pseudo PKI is a system such as the pseudo PKI system described in U.S. Pat. No. 6,170,058, "Method and Apparatus for Secure Cryptographic Key Storage, Certification and Use", and "Software Smart Cards via Cryptographic Camouflage" by D. Hoover and N. Kausik (1999 IEEE Symposium on Security and Privacy"). The above technique protects the private key by means of a cryptographic software camouflage, which provides similar security benefits to hardware based PKI but is limited to circumstances where messages are only verified by pre-defined trusted entities. This restriction occurs since the method requires that to maintain security of the private key, the user's public key be distributed on a certificate in an encrypted form which can only be decrypted by a secret key. For this reason, the technique has generally been relegated to authenticating users to a server. Since the public key is only made available in encrypted form the system may be called pseudo PKI. The software camouflage technique places the private key on the users site so that it is released when the user enters a correct password. The private key is not merely encrypted with the password, however, but it is said to be camouflaged because when incorrect passwords are inputted, in many cases a false but otherwise plausible private key is generated. A challenge message encrypted with a false key is identifiable when submitted for authentication. The software camouflaging technique is readily scaled to large numbers of users since authentication is only carried out by a limited number of servers. This allows for minimal software requirement on the user's network access device and elimination of the need for hardware protection of the private key. The pseudo PKI technolgy described above has been implemented in software known as WebFort™. Webfort™ is not capable of operating in a distributed e-services environment and is suitable for authenticating users to a server or integrated group of servers which constitutes a resource which the user seeks to access rather than for common authentication of unrelated entities to each other. The WebFort™ system does not support a mediated infrastructure. In a preferred implementation of the instant invention, the WebFort functionality is organized into separate components and encapsulated in a custom software container operating on the e-Speak core to provide the functionality needed for authentication by the PAMS. The discovery and collaboration features are implemented as software applications operating on the e-Speak core. Interactions between users and the PAMS and between users connected through the PAMS are mediated by the e-Speak core. An audit trail of mediated interactions is created and preserved by audit agent software operating on the e-Speak core. The preferred network is the public Internet, though embodiments of the invention can be applied to other public or private networks as well, and while the methods are described as being capable for facilitating transactions in global trade, it should be appreciated that the invention is equally applicable to smaller distances and other networks and not limited to global trade or the Internet. The combination of the software pseudo PKI authentication agent, the audit agent, and the intelligent software platform provides unexpected benefits for enabling global business transactions. Placing the authentication agent on the intelligent software platform (e-speak) makes it possible to realize the security benefits of PKI in a manner practically suited for use in world trade where there are a large number of users seeking authentication to each other, as distinguished from authentication of users to a single server or service to which they seek access. The use of an encrypted public key in pseudo PKI is not a limitation since the PAMS is an intermediary to authentication and users have no need to know other users' public keys, since the authentication between two users occurs by both being individually authenticated to the PAMS, and then being authenticated to each other through mediation of the PAMS. The combination allows for providing the important elements identified for conducting business in an authenticated environment. In particular, users can dynamically locate suitable partners who are also enrolled in the system based on the software platform's discovery capability, and can become authenticated to other suitable users which have been located. Users have both fixed information which has been verified and dynamically variable data to aid in selection. Once suitable partners have been identified they can be introduced and connected as equals under the mediation of the persistent authentication and mediation service through the open software platform with the same high level of trust and confidence that they would have if each user maintained his own PKI authentication infrastructure. A collaboration environment is provided to facilitate making and memorializing a deal based on the persistent mediation of the software platform and the audit trail created by the audit agent. Sufficient evidence is collected to support non-repudiation. Partners are able to put together a complex project team by locating and seamlessly connecting additional authenticated participants. Workflow tools, authenticated bulletin board interactions, trading partner agreements, and deal libraries are provided. There is an important additional benefit which accrues from using an open software platform such as e-Speak on which many user web sites will be operating. When the e-Speak core is operating on a user's computer or server, performance of the PAMS will be improved because mediated communications will proceed directly between the e-Speak cores by the e-Speak Interchange Protocol (ESIP), which is an optimized data transport specifically developed to handle e-Speak traffic on heavily used web site. Users may be of any type which has access to the network through a microprocessor equipped device. A first type of user accesses the Internet through an Internet Service Provider using a browser. A second type of user has outsourced authentication for a web site or other network accessible application to the persistent authentication and mediation service. A third type of user could be a web connected automated software application or software operated hardware device. During the enrollment process each user would receive software which allows the particular user type to interact with the persistent authentication and mediation service. Each user would also receive a software smart card containing a camouflaged private key and a digital certificate containing an encrypted public key. Usually users are part of a larger group, generally a business. A business will generally enroll with its own identity which will be verified by the persistent authentication and mediation service as well as a number of users which may include a combination of the types of users. Each user will have one or more personas which contains a subset of the verified business and user information. A persona identifies a user as part of the business as well as a particular unique individual (human or otherwise). Each business and user will also have information which may be dynamically varied by the user, such as a "shopping list" or inventory list. A persona can identify a users role within a business, such as title, amount the user is authorized to spend. A persona can be anonymous or not. The authentication process can be initiated by a direct request from the user to the persistent authentication and mediation service or alternatively by a request to another user world wide web site which uses the persistent authentication and mediation service to regulate access to the site. In the latter case, the software provided to the web site will refer the user to the PAMS, which will authenticate the user and connect it to the web site, now under mediation of the PAMS. All communications with the persistent authentication and mediation service are mediated through the open software platform and once connected the user's interaction will be mediated by the persistent authentication and mediation service through the open software platform. Once a user has authenticated to the PAMS, it will not be necessary to repeat that process when gaining access to other users where an existing relationship exists or to connect to users which allow access to any user who is authenticated to the PAMS. This is a very useful feature allowing multiple contacts without repeated login procedures. Some users will require that they have the option to review and approve other users before granting them access. A unique feature of the PAMS is its ability to provide one or more additional Authentication Providers (AP) in addition to the default authentication application described above as a part of the persistent authentication and mediation service. These additional Authentication Providers would perform private key software smart card issuance and authentication in some specialized manner such as extremely rapid authentication, an authentication accompanied by authentication insurance, or stronger security due to longer cryptographic keys. Thus the PAMS goes beyond the traditional role of providing a simple confirmation of whether a user is authentic, but allows a user to personalize authentication needs. For instance, some users will only want to deal with other users who use authentication accompanied by authentication insurance. Similarly, PAMS can provide more than one Audit Providers, in addition to the default functionality provided in PAMS. Additional providers may perform special functions such as service quality monitoring, transactional volume monitoring, and status and status monitoring to support functions such as producing a bill for a service provider. PAMS is uniquely situated to monitor members usage of another members services and bill accordingly based on the mediation of all transactions. Another similar feature is that PAMS can be used to compile a map of transactions carried out by users. This map would show the type or frequency of contacts with other users. Another similar feature is that user's membership agreements may state that employees can only trade up to the amount they are authorized for the company. PAMS would track the amount purchased through PAMS and proactively notify business of any exceptions. The value the audit agent and audit providers add is the ability to enforce trust relationships. An object of the invention is to provide a method and system for providing a Persistent authentication and mediation service for reliably authenticating potential trade partners, infrastructure providers and collaborators of disparate types and widely separated locations to each other over a distributed network such as the public Internet and providing authenticated users with an environment suitable for conducting business transactions requiring a high level of trust, particularly in world wide trade. A further object of the invention is to provide a method and system for providing a Persistent authentication and mediation service over a distributed network which is suitable for authentication of groups of disparate and widely separated users to each other under circumstances such as global trade where a trusted relationship is required. A further object of the invention is to provide a method and system for providing a Persistent authentication and mediation service over a distributed network which will allow users to locate suitable trusted collaborators based on dynamically variable and verified information. A still further object of the invention is to provide a method and system for providing a Persistent authentication and mediation service over a distributed network which will allow groups of authenticated users to interact under the mediation of the Service, such that the Service directly compiles an audit trail and information from the audit trail is made available to the interacting users. A still further object of the invention is to provide a method and system for providing a Persistent authentication and mediation service over a distributed network which allows for peer to peer mutual authentication of groups users of different types. A still further object of the invention is to provide a method and system for providing a Persistent authentication and mediation service over a distributed network which allows users to substitute trust in the Service for a direct relationship with another user in the steps of finding potential suitable trade partners, authenticating the identity of other users, and conducting a secure mediated interaction with other users. BRIEF DESCRIPTION OF THE DRAWINGS These and other features, aspects and advantages of the present invention will become better understood with regard to the following description, appended claims and accompanying drawings, where: FIG. 1 is an overview block diagram of a preferred Persistent Authentication and Mediation Service (PAMS) which shows the system architecture. FIG. 2 is a diagram which shows a typical load balancing configuration of a PAMS system. FIG. 3 is a block diagram showing the key process steps of a PAMS. FIG. 4 is a block diagram showing the registration process. FIG. 5 is a block diagram showing the authentication process. FIG. 6 is a block diagram showing the discovery process. FIG. 7 is a block diagram illustrating the process whereby two users establish a relationship. FIG. 6 is a block diagram illustrating the collaboration process. FIG. 9 is a block diagram illustrating an application of a PAMS to an exchange (Example 3). FIG. 10 is an exemplary Home Page for a PAMS. FIG. 11 is an exemplary Discovery Portal for a PAMS. FIG. 12 is an exemplary Persona Portal. FIG. 13 is an exemplary Collaboration Portal. FIG. 14 is a drawing which shows typical hardware for a PAMS. FIG. 15 is a flow chart of a normal PAMS workflow. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS General Description of the Service The instant invention pertains to a method, an online service, and a system, for reliably authenticating trade partners, infrastructure providers and collaborators to each other over a distributed network such as the public Internet and providing authenticated users with an environment suitable for conducting business transactions requiring a high level of trust, particularly in world wide trade. One preferred embodiment of the invention is an on-line persistent authentication and mediation service (PAMS) which is provided on a distributed public network such as the Internet. As used herein, a PAMS is a service provided over a network which is capable of authenticating groups of two or more users to each other by authenticating each user to the PAMS and then connecting authenticated users under persistent mediation of the PAMS. Authentication refers to the processes of a first entity proving its identity to one or more other entities over the network. Mediation refers to the fact that communications between authenticated users pass through the PAMS giving the PAMS the capability to monitor the interaction and compile an audit trail. Persistent refers to the fact that interaction remains mediated during the entire interaction, and the messages are transferred asynchronously so that the service maintains the message until it is delivered. In the context of this application, an on line PAMS is a service which is provided over a public network, such as the Internet, which is directly accessible to users of the network having the ordinary hardware to access the network, based on authentication and persistent mediation supplied by the PAMS. Authentication among many users, according to the invention, is thus a two step process comprising authentication of each user to the PAMS followed by connection of the authenticated users through mediation of the PAMS. The two step process allows unexpected benefits in level of security and trust in the authentication and scalability to a system, particularly when there are a large number of widely separated users of many different types seeking to authenticate to each other. It should be appreciated that authentication of many users to a central party (many-to-one authentication) is intrinsically subject to much greater security and assurance than providing for each of the many users to authenticate directly to each other (many-to-many authentication). Yet, the needs of e-commerce as applied particularly to global trade require the more difficult many-to-many requirement to be solved. A PAMS according to the invention, provides a way to provide the security possible in many-to-one authentication while achieving the end results of many-to-many authentication. In general, the goal of authentication in large scale electronic commerce is to provide the capability for "stranger-to-stranger" authentication, that is authentication of any two parties where the parties have complete trust that they know who they are dealing with while having had no prior relationship. In fact, what is required is the even more difficult task of authenticating a group (two or more) of strangers to each other. This can be accomplished in principal with a Public Key Infrastructure (PKI) where each party has a private key and a public key. The private key is known only to the owner while the public key is readily available but associated in some way with the owner. In order to be useful for authentication the private key must be subject to the strictest security measures so that no other party can have access to it or invoke it. Also a trustworthy third party must verify the public key/private key pair and verify that the private key is in the possession of the actual person seeking to use the keys for authentication. This is usually done by a trusted third party certification authority (CA) issuing a digital identity certificate binding the identity of the owner to a public key and signing the certificate with the private key of the CA (signing is the process of encrypting a message or digest of a message with a parties private key so that a person seeking to authenticate the message can do so by decrypting the encrypted message with the parties public key and comparing the decrypted message with the original message or digest to see whether they are identical.) The method is no more secure than the confidence in the identity certificates and the confidence in the security of the private keys. In practice a very extensive infrastructure would need to be supplied to accomplish a secure stranger-to-stranger system, usually employing a second agent known as a Registration authority (RA) who verifies the actual identity of a party seeking a certificate, obtains the public key, verifies that the party is in possession of the private key and that the private key is secure, and arranges for the secure delivery of the certificate. An authentication system such as described above is often called an "open" authentication system, in that parties may authenticate without having a prior direct relationship to each other. A less satisfactory approach to PKI for authentication in a closed authentication system may be realized through requiring a user to share information they know or otherwise producing evidence of their identity, Many authentication techniques have been developed for this purpose such as user-ID/password, and symmetric cryptosystems, such as Kerberos. These systems, provide a lesser degree of security than PKI, and are not generally satisfactory, but may be acceptable when combined with the extra security PAMS mediation provides. For example, a user-ID/password could be supplemented by PAMS requiring the user to answer a question based on information in the PAMS audit trail. The many-to-one model is intrinsically more secure than the many-to-many model simply because the certificates are only used by the one party which authenticates users seeking to use the resource which it protects. Ideally the authenticating party is also the CA and RA, or is closely related to them. This is a model often used for authentication within an enterprise where the authenticating party is protecting access to some resource, where the group is a limited in size and has a "real life" relationship to the authenticating party through the enterprise. It is often practical, in such an environment, to protect the private keys with very secure devices such as hardware smart cards, and to provide a further measure of security by encrypting the public key with a key known only to the authenticating party. Such a system provides a very high level of security and a very high level of confidence or trust that a user seeking authentication is the party it purports to be. An authentication system is said to be closed when a party being authenticated requires a prior relationship with the authenticating party. Thus a PKI architecture is often termed to be "closed" when only the CA relies on the identity certificates for authentication. In such a system parties must have a prior relationship with the CA prior to authentication. The complexities of the many-to-many model generally preclude the use of secure devises such as hardware smart cards which become impractical to manage and prohibitively expensive for a large, disparate, and widely separated user population. Further, the identity certificates must be useable by each of the users to authenticate the identity of other parties. This situation is the familiar open PKI, which is well known in the art today, where users are forced to rely on identity certificates generated by an unrelated CA whose degree of diligence in verifying the true identity of the certificate holder is suspect, and where the security of the private keys may vary from user to user. A PAMS according to the invention, is a hybrid of open and closed architectures in that it provides users authenticating to each other in a many to many environment with the high degree of confidence and security that characterizes the many-to-one environment because each user in fact begins a session by authenticating itself to the PAMS according to the many-to-one closed model where only the PAMS must directly rely on the identity certificates, and it has issued those certificates. The users then authenticate with other users by virtue of their trust in the PAMS and their connection to the other users which is mediated by the PAMS. Users of the PAMS have their identities verified through an enrollment process prior to being eligible for authentication to other users. Authentication of a first user and a second user in PAMS is accomplished by the first user and the second user authenticating to PAMS using a closed system architecture, preferably a closed PKI architecture, and then authenticating to each other by PAMS connecting the first member to the second member to each other using the persistent mediation of PAMS. It should be noted that a novelty of the instant invention is the application of a closed authentication model system to a model that can comprise many members authenticating to each other, for instance in a manner consistent with meeting the demands of authentication among trading partners in global trade conducted over the Internet. A PAMS according to a preferred embodiment of the invention authenticates users based on a PKI system where the private key and digital certificate are secured by software. This is important so that the system will be practically scaleable to a population of many distant and disparate users. Registration, distribution and administration can be accomplished over the network. A preferred PKI system involves protection of the private key by cryptographically camouflaging it in a software container, ie. a software smart card. This system provides the same level of protection as hardware smart cards under circumstances where the public key is encrypted so as to be accessible only to the party performing authentication. The structure of the PAMS allows adherence to the latter condition. It should be noted that while PAMS issues software smart cards, the cards will generally conform to standards which allow it to interact with other devices. For instance the Public-Key Cryptography Standards (PKCS) defines a set of intervendor standard protocols for making possible secure information exchange on the Internet using a PKI. PKCS #11 defines a technology independent programming interface known as Cryptoki, for cryptographic devices such as smart cards and PCMIA cards. The preferred embodiment of the invention is compatible with PKCS #11. Those skilled in the art will appreciate that a PAMS could also adopt alternate compatibility standards. Thus it is possible for an application to request credentials from their software smart card just as if it were a hardware card, and for PAMS to accept credentials from a hardware card. PAMS establishes a Trust domain which follows a single certificate Policy statement so that all users trust the authentication from anywhere in the domain. The main Trust domain of the preferred embodiment uses software smart cards as the authentication approach. However PAMS offers a capability to recognize and authenticate credentials of external Registration Authorities defining Trust Domains external to PAMS and securing user credentials in a compatible device. Of course to maintain the PAMS trust integrity, ie., that any user in either domain will trust the authentication of another user through PAMS, external Registration Authorities require a higher level of security validation to PAMS prior to service. Privacy is an important issue in PKI. Since the identity of a party is an integral part of the identity certificate, it is awkward to separate authentication from the party's actual identity, without having a plethora of identity or attribute certificates for each user. In a PAMS according to the invention, a user inherently reveals its identity to the PAMS, but has the ability to control which information is passed on to the other party, making it possible to have an anonymous authenticated interaction. For instance a view of a user's relevant verified credentials or role within a company could be passed on without actually identifying the user. Authentication is the first part of a trust relationship. Since users are connected under mediation of the PAMS, the interaction continues to be monitored by the PAMS, establishing an audit trail which is accessible to the interacting users. The PAMS provides a non-repudiation environment which ultimately supports enforcement of the results of the interaction. The PAMS provides functionality which allows users to discover other members according to dynamically variable criteria, based on information which has been verified by the PAMS as well as user controlled information. The PAMS provides functionality for collaboration between members and documentation of the collaboration based on the audit trail compiled due to the mediation function. Collaboration may include many normal network functions provided in a non-repudiation environment, such as certified delivery electronic mail and ability to sign documents and verify the signing. Trust may be based on the reputation of a party, that is a generally held opinion about the party. A party may have confidence or trust in another party based on his own experience in dealing with the party. This method often used in every day transactions and is often a time consuming learning process based on a sequence of transactions involving gradually increasing importance. Trust may also be based on general reputation in a community where the parties interact. Trust may also be based on recommendations of other parties. Finally, trust may be based on insurance obtained from an outside source. The structure of the PAMS provides an unexpected benefit in providing a basis for establishing trust in direct transactions over a public network such as the Internet without necessity of any relationship other than PAMS. The PAMS begins the establishment of trust by verifying the identity of users and verifying their credentials in an enrollment process prior to issuing an identity certificate. The PAMS also has the ability to allow a user to select from alternative authentication options which offer different levels of security, convenience and cost. Since interactions between users are mediated by the PAMS, the PAMS may obtain a continuously evolving independent rating of a user based on the number, type and quality of interactions and a reputation based on feedback from other users. This information can be supplied to other users considering establishing a relationship or by an insurance provider who can provide insurance for a transaction based on the reputation or the parties authentication security level. The preferred method for providing a persistent authentication and mediation service (PAMS) on a public distributed network involves the following acts: A persistent mediated interaction has an audit trail which is maintained under the control of the PAMS, and is available to the users. An important feature of an interaction under the PAMS is that users, including users of different types, interact under circumstances where after their identity is authenticated by the PAMS and they are connected to other users under mediation of the PAMS, the interaction continues to be mediated by the PAMS during the interaction, so that an audit trail is accumulated. The audit trail is available to the users during the interaction and may include the content of the interaction. Exactly what content will be preserved is user determined. Another key feature is that groups of three or more users may interact. The mediated environment is a key part of establishing trust in the identity of the parties during the authentication process and is the basis for monitoring and enforcing trust during and after the transaction. Mediation of interactions also provides capabilities which are ancillary to authentication. One capability is for businesses to monitor the quality of service provided by their business partners. Another example is to monitor the response time experienced by visitors to the business's site. Mediation is a valuable feature which most users will wish to retain throughout an interaction. However, in some cases users may choose to continue the interaction outside of the PAMS mediation and the audit trail. Mediation is mandatory for establishment of full trust during authentication, but optional after authentication. Users may elect to carry on interactions through a parallel connection which is not mediated by PAMS. PAMS may readily be configured to offer users to alternate between the mediated and direct connection. When all transactions are mediated, PAMS provides the optional feature of monitoring one user's use of another user's resources, and billing for those resources. Another optional feature is to compile a transaction usage map for users which reveals the identity and frequency of user contacts with other user's. This feature can provide a valuable tool for analyzing a user's business patterns, for instance identifying bottlenecks. Another optional feature is the capability for authenticated users to interact with network users which are not authenticated or even enrolled in the PAMS. For instance an authenticated Internet user accessing the PAMS with a browser may access a web site which not enrolled in the PAMS by entering the URL into the Discovery Portal. A user which is connected to the non-enrolled site does not enjoy the full benefits of PAMS, however the interaction will be mediated by the PAMS, including the audit trail. The authenticated user will also have the capability of anonymous interaction with the non-enrolled site, since the PAMS can remove the identifying header information from the Internet message. Another application of persistent authenticated mediation is anonymous processing credit card transactions. In current applications, a cardholder transmits his credit card information to a merchant over an Internet connection. The merchant, in turn, seeks authorization by transmitting the information to the merchant's bank (called the acquiring bank) which in turn seeks authorization from the card holder's issuing bank. An approval is passed back to the merchant, through the acquiring bank, and the merchant completes the transaction. In the PAMS mediated transaction, the card holder has authenticated to PAMS, and is shopping with the merchant under mediation of PAMS through a PAMS application, for example a wallet program such as Netar operating as a PAMS application program. The cardholder enters his credit card information into the wallet, and a corresponding reference ID is created. The reference ID looks like a credit card number and is partly composed of random numbers the cardholder can enter, as well as required information such as the (Bank Identification Number) BIN number of the Payment Processor who is a PAMS external Service Provider. The Payment Processor also has access to the credit card network (such as VISA or Mastercard). When a payment is to be made, the reference ID is passed to the merchant in place of a credit card number. The merchant thinks the reference ID is a credit card number and passes it on to the acquiring bank. The acquiring bank sends the transaction to the Payment Processor whom the acquiring bank thinks is the issuing bank. The Payment Processor obtains the card holders actual credit card number and billing address from Netar, which is passed to the issuing bank for authorization. Authorization or rejection is passed back to the merchant through the Payment Processor and the acquiring bank. The cardholder's interaction with the merchant can be as anonymous as desired, and the cardholder's confidential information is not transmitted over the Internet (only the transactions involving the merchant and the cardholder are transmitted over the Internet—all others are high speed secure transmissions). Additional benefits accrue when the Payment Processor is also the acquiring or issuing bank. A unique feature of the PAMS is its ability to provide one or more additional Authentication Providers (AP) in addition to a default authentication application which was described above as a part of the persistent authentication and mediation service. These additional AP's all interface through the default authentication application and await service requests from the default application. These additional Authentication Providers would perform private key software smart card issuance and authentication in some specialized manner such as extremely rapid authentication, authentication accompanied by authentication insurance, or authentication specialized on a certain geography or device type. Additional AP's may also be the interface to alternative trust domains having credentials issued by an RA external to PAMS. Thus the PAMS goes beyond the traditional role of providing a simple confirmation of whether a user is authentic, but allows users to personalize authentication needs. For instance, some users will only want to deal with other users who use authentication accompanied by authentication insurance. Another feature of PAMS is the option to provide alternative audit providers which interface through the default application audit provider similarly to authentication providers. Alternative audit providers may offer special auditing services such as auditing service quality, business transaction volume and status, and state of the art messaging system. Audit providers may offer different levels of security or safety of storage. The presence of additional authentication providers and additional audit providers enable a particularly attractive options for privacy and security of users. The additional providers may be internal (providers which are located at the same physical setting and get started in the PAMS boot-up process) or external (providers which reside elsewhere on the network). By choosing external authentication and audit providers a user may choose where his information resides and how it is secured. This feature of the PAMS architecture, allows the user the ability to separate identification information (coming through the authentication agent) from transactional information (coming through the audit agent). The user is able to see the data transparently combined through the web portal while the data are actually coming from multiple places. This feature allows users a method by which fully authenticated users can transact anonymously with other users. Usually users are part of a larger group or enterprise of some type, generally a business. For convenience in this application, since a primary target of the invention is international trade transactions, the word business will be used to refer to entities of all types, including all entities comprising one or more users with some connection which causes them to be grouped for the purpose of authentication. A business transaction or transaction will similarly refer to the interaction between two or more users. Even though the embodiments will be described in terms of businesses and business transactions, it will be appreciated by those skilled in the art that that the invention includes all type of transactions which benefit by authentication and trust among the parties. A business will generally enroll with its own identity which will be verified by the persistent authentication and mediation service as well as a number of users which may include a combination of the types of users. Each user will have one or more personas which contains a subset of the verified business and user information. A persona identifies a user as part of the business as well as a particular unique individual (human or otherwise). Each business and user will also have information which may be dynamically varied by the user, such as a "shopping list" or inventory list. A persona can identify a users role within a business, such as title, and the amount the user is authorized to spend. A persona can be anonymous or not and a user may have both identified and anonymous personas. Anonymous personas are a significant in light of the PAMS's ability to provide for authenticated anonymous interactions. When the PAMS uses the preferred pseudo-PKI system, where a user's public key is contained in encrypted form on an identity certificate which is forwarded to the PAMS with the challenge response, a significant security benefit is realized, in that there is no need for the PAMS to store the public key or other access parameter on the authentication server making a breach of the system much less likely. The authentication process can be initiated by a direct request from the user to the persistent authentication and mediation service or alternatively by a request to another user world wide web site which uses the persistent authentication and mediation service to regulate access to the site. In the latter case, the software provided to the web site will refer the user to the PAMS, which will authenticate the user and connect it to the web site, now under mediation of the PAMS. All communications with the persistent authentication and mediation service are mediated through the open software platform and once connected the user's interaction will be mediated by the persistent authentication and mediation service through the open software platform. Once a user has authenticated to the PAMS, it will not be necessary to repeat that process when gaining access to other users where an existing relationship exists or to connect to users which allow access to any user who is authenticated to the PAMS. This is a very useful feature of allowing multiple contacts without repeated login procedures. Some users will require a selection process before establishing a relationship. Authentication of a user to the PAMS will generally expire after passage of a specified period of time or upon execution of a log off procedure. A very important feature of the PAMS is that the PAMS provides a platform to form new relationships which did not previously exist. Enrolled users of the PAMS can find other users by searching the dynamically variable database of verified and user variable data to find suitable partners. Some users will accept any potential "customer" as a partner, while others will have qualifying criteria which they can verify based on the credentials maintained in the PAMS database. A preferred optional feature of the PAMS is to provide work flow processes which allow a first user to screen the persona of a second user against predetermined criteria, and either accept or reject formation of the relationship based on the comparison. An example is a business with a web site which is enrolled in the PAMS and uses the PAMS to control access to its site. For instance, the business may indicate that it wants to form relationships with any user which is authorized to make purchases over $100,000. Prospective partners which discover the business from the discovery portal will be transparently screened by the PAMS and admitted or not based on the result of the screening. Combining authentication with persistent mediation provides an unexpected benefit in establishment of trust in interactions over the Internet. Just as many to many group communication tends to be more complex than one to many communication, security in the many to many context is harder to achieve. As group membership changes, trust among group members may change, and a trust providing infrastructure must be dynamic to accommodate the changes. The amount of trust placed in a digital certificate decreases over time, as an older certificate is more likely to have been compromised. CA's typically renew certificates once a year in an open PKI. Thus the relationship between a CA and a customer is normally based on infrequent contact. PAMS on the other hand is continuously involved in the end to end transactions performed by a customer, providing continued performance monitoring and being alerted to changes in status and consequently decreased risk. Information content which is available on the Internet, has generally no meaning without a well-understood context. In the case of global commerce, the context itself is in a constant state of change as parties interact and new traders appear and disappear. The combination of authentication and persistent mediation provided by PAMS provides a persistent context to the information content. Once established with a group of enrolled users, the PAMS and the enrolled users form a virtual network which exists on a public network such as the Internet. Enrolled users sign on to the network when they begin a session by authenticating to the PAMS. They may search for other members using the PAMS, and interact with other members with trust in their identity based on entry to the network being guarded by the PAMS. All interactions between users over the virtual network are mediated by the PAMS. The virtual network provides a particularly convenient forum for its users due to the ability to access other users seamlessly without repeated login procedures. Description of the System Architecture While the service described could be implemented in many different embodiments, the preferred implementation of the invention utilizes two new classes of network software which are synergistically suited for providing the PAMS. The preferred implementation comprises a host site connected to the network, the host site including at least one computer server operated by an open software platform providing intelligent interactions, a persistent authentication and mediation service comprising a software pseudo PKI authentication agent operating on the open software platform, an audit agent operating on the open software platform for monitoring and storing mediated messages, and application software operating on the open software platform with functionality for enrolling users, authenticating enrolled users, allowing authenticated users to dynamically find suitable partners according to criteria which they specify, and allowing authenticated partners to interact under the mediation of the common authenticating service through the open software platform. The authentication system further preferably further comprises a customer database server separate from the open software platform comprising a database of information about the registered businesses, the database being accessible to the persistent authentication and mediation service, though it is possible to include the information within the database maintained by the open software platform. In the context of this application, an open software platform refers to a platform where users and enabled services operating under the platform can interact regardless of their hardware or operating systems, system management strategies, development environments or device capabilities. Intelligent interaction refers to the ability of enabled services to discover, negotiate, mediate, and compose themselves into more complicated services. The platform is analogous to an operating system, but instead of just mediating fixed requests from a process for resources and mapping virtual addresses to actual addresses, the operating system is capable of mediating global Internet services. All of the major functions of the service are preferably implemented through the open software platform, which mediates all interactions between PAMS and users. A preferred open software platform is Hewlett Packard's e-Speak, currently available as version 3.01. The e-Speak platform is implemented by an e-Speak core program which operates on a user's computer or server. In e-Speak, enabled services are referred to as e-Services. The ability to discover refers to the fact that when an e-service registers with a host system accessible to the network and creates a description of the service it provides, users of the system can automatically discover services which have desired attributes, and contact them without needing to have known about the service in advance or knowing its URL. To negotiate refers to the fact that e-Speak negotiates between the requester and provider to eliminate services which are outside of the requested criteria. To mediate refers to the fact that users are connected through the e-Speak core and e-speak continuously intermediates the service delivery after the user and e-service have been connected. Users do not normally interface directly, interactions are by default mediated by the service. As previously mentioned there may be times when users prefer to interact directly without mediation. A preferred embodiment of PAMS includes the capability to alternate between mediated and direct interaction after authentication has been completed using persistent mediation. To compose refers to the ability of e-services to combine themselves into more complex, cascading e-services even dynamically. While e-Speak is the preferred open platform, other open platforms which could be well suitable for providing the service, such as those provided by Microsoft, IBM and Sun, particularly platforms which provide the capability for discovery, negotiation, and mediation as described above. Another alternative embodiment is to build the necessary functionality into a dedicated software package performing similar functions as e-Speak. An essential part of the service of the instant invention is an authentication agent which is part of the PAMS. The authentication agent performs the first step in the authentication process, namely authenticating a user to the PAMS. In the preferred embodiment the authentication agent comprises software functionality operating on the open software platform. The combination of the common authentication agent with the open software platform is a particularly synergistic combination in that authentication agent performs the authentication of a user to the PAMS, while the open platform provides the persistent mediated connection between authenticated users. The open software platform mediates the exchanges between the authentication agent and the various users and then the interaction between authenticated users interacting under the PAMS. Another essential part of the service is an audit agent, which like the authentication agent is a software application operating on the open software platform. While e-Speak mediates all messages the messages are only stored until delivered. The audit agent performs logging and monitoring for all transaction events that occur in the system. The audit agent intercepts all interested events during mediation by the e-Speak core and stores them in a permanent store such as a database. Another essential part of the service is a PAMS database. The PAMS database component contains the customer relationship management (CRM) information for each registered user. Such information includes user-specific reputation ratings, business partners, past and current dealings, and so forth that are personalized for each user. Other features for promoting business transactions requiring trust, such as the ability to enroll users and compile a customer database of verified and variable information about users, ability for authenticated users to dynamically discover other enrolled users based on the information in the customer database meeting particular criteria, and to transact business with authenticated partners under the mediation of the service to provide for non-repudiation of the transactions, are preferably provided as software applications operating on the open software platform either integrated into a single package, or as separate software applications. In the preferred embodiment these software application these functions are part of the extensible Web Access component of e-Speak and are known as the Web Portal. The Web Portal is accessible via xml/https or ESIP via the e-Speak core. There is an important benefit which accrues from using an open software platform such as e-Speak on which many user web sites will be operating to take advantage of its electronic commerce advantages. When the e-Speak core is operating on a user's computer or server, performance of the PAMS will be improved because mediated communications will proceed directly between the e-Speak cores of the user and the PAMS through the e-Speak Interexchange Protocol (ESIP) which is an optimized data transport for handling e-Speak traffic. It is not necessary, however, that the e-Speak core be installed on a user's network access device for it to utilize the PAMS. Typically users who are service providers providing services through a world wide web site will us the ESIP "core to core" connection, while users accessing through a web browser will connect with XML over HTTP. Performance-sensitive services use ESIP to communicate with PAMS. E-speak also provides a proprietary EIDL compiler (See Appendix D of the E-speak's Programmer's Guide) that generates stub files on top of ESIP for efficient programmatic access from clients to an e-speak service. PAMS is to be deployed on high-end computer systems with fast Internet connections. Therefore, successive improvements in Internet router/switch technologies and computer systems, which has been taken for granted in today's marketplace, will help PAMS to perform under increasing workload. In addition to mediation, the open software platform provides asynchronous message delivery providing persistence of messages until delivered. The persistent authentication and mediation service requires an asynchronous architecture to provide fault tolerance in a widely dispersed network so that messages will be preserved during server or network failures. The open software platform provides the persistent message queue management that is necessary to support the persistent authentication and mediation service on a global scale. Authenticated connections are preferably secure connections such as SSL, which is supported by e-Speak. In a PAMS in accordance with the invention, it is necessary that the authentication agent provide a high degree of confidence that the authenticated party is the entity which it purports to be, since a user's trust in the authenticity of another user can be no stronger than the trust that the PAMS has properly authenticated the other user. At the same time the authentication agent should employ an implementation which is scaleable for use by a very large number of potential users, preferably hundreds of thousands or millions of users distributed world wide. Ordinary id/password systems which are commonly employed for authentication to servers or on-line services will not be considered to be sufficiently secure to proceed with major transactions based on their trust in the authentication. Public Key Infrastructure (PKI) systems are recognized to provide a high degree of security provided that the private key is well secured, however the common method of employing PKI by simply encrypting a private key located on the users device with a password is subject to attack by an intruder and may be useful for some purposes but not others. Approaches where identity certificates are stored on central servers and downloaded when requested, limit the ability to provide non-repudiation as multiple copies of the certificates exist. Hardware based smart card systems for protecting the private key are very secure but are considered to be very costly and unmanageable for a large and widely dispersed group of users such as is contemplated in world wide trade which is a primary application contemplated for the invention. A preferred strong software protected pseudo PKI system is a system such as the pseudo PKI system described in U.S. Pat. No. 6,170,058, "Method and Apparatus for Secure Cryptographic Key Storage, Certification and Use", and "Software Smart Cards via Cryptographic Camouflage" by D. Hoover and N. Kausik (1999 IEEE Symposium on Security and Privacy"). The above technique protects the private key by means of a cryptographic software camouflage, which provides similar security benefits to hardware based PKI but is limited to circumstances where messages are only verified by pre-defined trusted entities. This restriction occurs since the method requires that to maintain security of the private key, the user's public key be distributed on a certificate in an encrypted form which can only be decrypted by a secret key, which is controlled by the trusted entities. For this reason, the technique has generally been relegated the technique to authenticating users to a resource within an enterprise rather than many-to-many authentication among a group of users. Since the public key is only made available in encrypted form the system is called pseudo PKI. The software camouflage technique places the private key on the users site so that it is released when the user enters a correct password. The private key is not merely encrypted with the password, however, but it is said to be camouflaged because when incorrect passwords are inputted, in many cases a false but otherwise plausible private key is generated. A challenge message encrypted with a false key is identifiable when submitted for authentication. The software camouflaging technique is readily scaled to large numbers of users since authentication is only carried out by a limited number of servers. This allows for a minimal software requirement on the user's network access device which can be conveniently distributed over the network and elimination of the need for hardware protection of the private key. The technology for implementing a pseudo PKI system described above has been implemented in software known as WebFort™. Webfort™ as such is not capable of operating in a distributed e-services environment and is suitable for authenticating users to a server or integrated group of servers which constitutes a resource which the user seeks to access rather than for common authentication of unrelated entities to each other. The WebFort™ system does not support a mediated infrastructure. The combination of online authentication using the cryptographic key storage PKI technology described above with persistent mediation solves the principal weakness of the cryptographic key storage when used alone. When used alone the technology is subject to attack by an individual who somehow obtains the correct PIN (as by clandestine observation) and also has access to the workstation on which the software smart card is stored. Such an individual could readily defeat the system. In a PAMS, however, the continuous monitoring function could readily provide an alert to the owner via another channel such as telephone or email that the digital certificate is being used. In a preferred implementation of the PAMS, the WebFort™ functions to carry out pseudo-PKI are organized into separate components and encapsulated in a custom software container operating on the e-Speak core to provide the functionality to enable authentication of users to the PAMS. The implementation of the discovery and collaboration features are implemented as software applications operating on the e-Speak core either preferably as an extension of the e-Speak Web Access component. Interactions between users and the PAMS and between users connected by the PAMS are mediated by the e-Speak core. At this moment, only Arcot's card operations need to be wrapped in JNI. Other APIs such as getChallengeo and verifyReponse( ) are supported by Arcot's Java toolkit (Arcot's Application SDK Client API). The following JNI functions wrap around the SDK's administration C/C++APIs: JNIExportjbyteArray JNICALL Java—arcot—service—wallet—create(JNIEnv *env, jobject jobj, jstringjuserID, jstringjcardName); JNIExportjbyteArray JNICALL Java—arcot—service—wallet—exists(JNIEnv *env, jobject jobj, jstringjuserID, jstringjcardName). The JNI wrapper APIs are based on Sun's standard JNI Specification (Java Native Interface Specification (http://java.sun.com). In the preferred embodiment of the invention, the service further comprises additional authentication providers in addition to the main authentication agent. The additional authentication providers perform special services such as providing extremely rapid authentication or providing authentication insurance combined with the authentication. The preferred embodiment further comprises additional audit providers in addition to the default audit agent provided with PAMS. Additional providers may perform special functions such as service quality monitoring, transactional volume monitoring, and status. The preferred network is the public Internet, though embodiments of the invention can be applied to other large scale networks as well, and while the methods are described as being capable for facilitating transactions in global trade, it should be appreciated that the invention is equally applicable to smaller distances and other networks and not limited to global trade or the Internet. FIG. 1 describes a logical view of a preferred PAMS system utilizing the e-Speak open software platform. Actual system configurations can vary considerably. For instance, the entire PAMS system functionality can be distributed across application servers, Web servers, e-speak Cores, and multiple databases. Through e-speak Core-to-Core communication, PAMS systems can easily connect to one another to form a cluster of PAMS networks providing the same consistent view to the users. PAMS, acting as the primary backend component, along with other Web portal front-end components, forms a complete online service. Internally PAMS consists of three primary system components: authentication agent, audit agent, and e-speak. Both agents maintain a list of internal service providers for authentication and auditing. The authentication agent relies on WebFort for software smart card implementation. The audit agent relies on e-speak for mediation functionality. Referring to FIG. 1, a preferred PAMS system 110 is shown, comprising an authentication agent 120 is shown operating on an open software platform, here the e-Speak core 130. Several Authentication Providers are shown, Authentication Provider 1 (122), through Authentication Provider N 124. The Authentication Providers include the functionality for enrolling users and authenticating enrolled users to the PAMS. The default Authentication Provider is part of the Authentication Agent 120. An Audit Agent 140 is shown with Additional Audit Providers 142 and 144. Authentication Providers 150 and Audit Providers 152 are additional external providers. Also shown are special external service providers 156, 158, and 160 which are services outside of PAMS which have been enrolled as member in the PAMS and will be frequently utilized by other members. The Authentication Agent is an integral part of PAMS. It leverages a local e-speak Core to provide authentication services for PAMS. The agent serves as the default Registration Authority in PAMS, it is the RA for users enrolled by PAMS. It is optionally possible for PAMS to recognize certificates issued by others and authenticated by an external Authentication Provider which interfaces through the Authentication Agent. In this case, before authenticating, information about each user is stored in the PAMS database creating a relationship between PAMS and the user. The Authentication Agent acts as proxy to other internal or external authentication providers which serve as the Certificate Authority. The Agent implements e-speak's service interface, thus qualifying it as an e-service. The agent by default hosts an internal authentication service that wraps around WebFort. Generation of certificates within the agent is the default operating mode when an external authentication provider is not being utilized. As PAMS' default authentication provider, this service implements the pamsAuthSPIntf interface as defined below. The Agent decides which authentication provider to use based on certain attributes of the incoming request, such as cost or response time requirements. The Authentication Agent is accessible through its interface defined as following:
The Authentication Agent provides built-in authentication, as indicated by its implementation of the pamsAuthSPIntf. Internally it implements a JNI adapter to WebFort's public C-based SDK. The agent mediates all calls for authentication. Other Web Portal components can call the agent service by name. (Web Portal discussed below is the interface for access to PAMS). The Authentication Agent is called by Web portal components when authentication is required, in cases where access to protected resources is requested. Type B clients, however, would bypass the portal and access the agent directly. An Authentication provider (AP) from the PAMS viewpoint belongs to one of two classifications: internal or external. An internal AP is local and packaged with PAMS together; local AP's can be considered premier AP's. External AP's are located remotely, and connected to PAMS through the administration console by conforming to the e-speak service interface. External AP's require higher level of security validation to PAMS prior to service. Both types of providers implement the same pamsAuthSPIntf interface. As stated earlier, all authentication providers await service requests from the Authentication Agent. The Agent holds sway over which AP gets selected for a particular transaction based on the service attributes such as cost and service response requirements.
Note that an alternative XML messaging interface that wrap these methods can be provided so that HTTP requests can access this interface. The audit agent in PAMS performs logging and monitoring service for all transaction events that occur in the system. In e-speak terminology, it utilizes the system event logging provided as a default service by e-speak Core. Specifically, the Agent hooks into the publish/subscribe event manager of the e-speak Core. As part of monitoring, the agent can raise a warning flag, suspend, or terminate sessions that are suspicious in nature. Once registered, the agent intercepts all interested events or messages during mediation by e-speak Core. The agent can put the transaction events in a permanent store, such as a database or secure store such as HP's VirtualVault.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||