System and method for secure identity service

We claim: 1. A method for managing user identities on a network comprising: receiving, by an identity service executing on a processor in a server on the network, a request to register an identity for a first user, the request including a token containing a notification service account identifier for a mobile device of the first user that uniquely identifies the mobile device of the first user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, the request further including one or more authenticated identification (ID) codes uniquely identifying the first user; storing, by the identity service, an entry for the first user within a registration database, the entry associating the token with the authenticated ID codes of the first user; receiving, by the identity service, a query from a second user to communicate with the first user, the query including at least one of the authenticated ID codes of the first user, the query further including at least one authenticated ID code of the second user and a token containing a notification service account identifier for a mobile device of the second user that uniquely identifies the mobile device of the second user to the push notification service on the network; generating, by the identity service, a first query signature over one or more of the authenticated ID codes and tokens of the first and second users, and a timestamp, the query signature usable by application-specific network services to authenticate communication between the first and second users on the network; and transmitting, by the identity service, the first query signature and the first user's token to the mobile device of second user, the mobile device of the second user subsequently sending a message to the push notification service for delivery to the first user upon verification by a first application-specific network service using the first query signature sent to the first application-specific network service by the push notification service. 2. The method as in claim 1 further comprising: receiving a request from the second user at the first application-specific network service to establish a communication channel with the first user; generating a second query signature at the first application-specific network service using the authenticated ID codes and tokens of the first and second users, and a current timestamp; if the first query signature and the second query signatures match, then allowing communication between the first user and the second user using the first application-specific network service. 3. The method as in claim 2 wherein if the first query signature does not match the second query signature, then rejecting the request from the second user at the first application-specific network service to establish a communication channel with the first user. 4. The method as in claim 3 wherein the first application-specific network service comprises an instant messaging service. 5. The method as in claim 1 wherein the request to register the identify of the first user includes application data identifying applications installed on the first user's mobile device, the application data being stored in the entry for the first user within the registration database, wherein the request from the second user includes application data identifying applications installed on the second user's mobile device, and wherein the response to the second user identifies applications common to both the first user's mobile device and the second user's mobile device. 6. The method as in claim 5 wherein at least one of the applications comprises a video chat application. 7. The method as in claim 1 wherein the one or more authenticated ID codes are received from the first user in a non-canonicalized format, the method further comprising: canonicalizing the one or more authenticated ID codes to generate canonicalized ID codes prior to storing the canonicalized ID codes within the registration database; and transmitting one or more of the canonicalized ID codes to the second user with the first query signature and first user's token. 8. The method as in claim 7 wherein one of the authenticated ID codes comprises a telephone number associated with the first user. 9. The method as in claim 1 wherein one of the authenticated ID codes comprises an email address associated with the first user. 10. The method as in claim 1 further comprising: generating a first certificate for the first user comprising a signature over the token of the first user; generating a second certificate for the first user comprising a signature over at least one of the authenticated ID codes of the first user and a password associated with the first user; and generating a third certificate for the first user using data extracted from the first certificate and the second certificate, and a timestamp, the third certificate usable by the application-specific network services to authenticate the first user on the network. 11. A method comprising: receiving, by an identity service executing on a processor in a server on a network, a first query from a mobile device of a first user to communicate with a mobile device of a second user; responsively providing, by the identity service, the mobile device of the first user with one or more authenticated identities of the second user, a token for a mobile device of the second user, and a fingerprint generated with one or more authenticated identities of the first user, the token, and a timestamp, the token containing a notification service account identifier for the mobile device of the second user that uniquely identifies each mobile device of the second user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, the mobile device of the first user subsequently sending a message to push notification service for delivery to the second user upon verification by a first application-specific network service using authentication identifiers and tokens for the first and second users sent to the first application-specific network service by the push notification service; subsequently checking, by the identity service, the fingerprint on the mobile device of the first user to determine if the fingerprint is still valid in response to a second query generated from the first user to communicate with the second user, wherein if the fingerprint is still valid then re-using the one or more authenticated identities of the second user and the token of the second user provided in response to the first query. 12. The method as in claim 11 wherein the fingerprint comprises a hash over the one or more authenticated identities and the token of the second user. 13. The method as in claim 12 wherein the hash comprises an secure hash algorithm 1 (“SHA-1”) hash. 14. The method as in claim 11 wherein subsequently checking the fingerprint comprises re-generating the fingerprint using the one or more authenticated identities and token of the second user and a current timestamp and comparing the re-generated fingerprint with the original fingerprint. 15. The method as in claim 12 further comprising: storing the one or more authenticated identities, the token of the second user, and the fingerprint in a network cache; receiving a subsequent query at the network cache for the one or more authenticated identities and token of the second user; transmitting the fingerprint from the networ