Skip to Main Content
We propose a new authorisation architecture based on the extension to the anonymous authorisation framework proposed by Au et al., whereby a new entity, trustee, and a new concept, key binding certificate (KBC), are introduced. In the architecture, the trustee issues a KBC to certify the association between a registered user's unique identity and the user's one-task authorisation key (OTAK) where OTAK is used as the user's unique identifier to preserve anonymity. More importantly, the trustee acts as an identity escrow agent to provide anonymity revocation in a well-regulated manner. Hence, any service provider is able to make authorisation decision based on the anonymous attribute certificates (AACs) issued by referee servers to anonymous users with a high level of assurance. The trustee also empowers the notion of chained referral in situations where users are required to obtain AACs from various referee servers. An improved protocol is also proposed, accompanied by an outline of its security analysis.