A method and apparatus for identifying an applicant as a member of a group without explicitly listing all possible applicants. A test is defined which specifies the criteria for group membership. The test definition (100) and an optional group identifier code are supplied to a criterion generator (102). The criterion generator (10) generates an authenticated message (108) based, at least in part, upon said test definition (100). The authenticated message (108) is delivered (112) to one or more criterion evaluators (18) that verify the authenticated message (122). In one embodiment, once the authenticated message has been verified (124), the applicant for access to a resource presents a credential (132) to the criterion evaluator (18). If the credential satisfies the test definition (100), the applicant is granted access (134) to the specified resource and denied access (136) if the credential does not satisfy the test definition. In another embodiment, upon presentation of a suitable credential to the criterion evaluator (18), the criterion evaluator (18) produces a group membership credential (32) that may be presented to an actuator (34) that is not in communication with the criterion evaluator (18). If the actuator determines that the group membership credential is authentic, the applicant is granted access to the resource.
展开▼
