Living List of Identity Management Terminology

From ITUwiki

Jump to: navigation, search

Terms and definitions used in Identity Management.

The list was drawn up in 2007 by the ITU-T Focus Group for Identity Management. It is a collection of terms from many sources; no particular term is endorsed but it is recommended that if possible, existing terms should be used rather than inventing new ones.

See also Living List of Identity Management Forums

The following repositories also contain extensive glossaries:-

Term Definition(s) Source(s) Notes
. . . .
access control The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unaughorized manner. X.800 .
address An address is the identifier for a specific termination point and is used for routing to this termination point. ITU-T Y.2091 .
agent a computer system or device that has been delegated (authority, responsibility, a function, etc.) by and acts for a Party (in exercising the authority, carrying out the responsibility, performing the function, etc.). ITU-T X.911 .
anonymity
  • lack of any capability to ascertain identity.
  • the quality or state of being anonymous, which is the condition of having a name or identity that is unknown or concealed.
  • ITU-T Y.IdMsec
  • OASIS SAML 2.0, RFC2828
.
asset Anything that has value to the organization, its business, its operations and its continuity. ITU-T Y.2701 .
assurance (or at least authentication assurance) a measure of confidence that the security features and architecture of the Identity Management capabilities accurately mediate and enforce the security policies understood between the Relying Party and the Identity Provider. ITU-T Y.IdMsec .
assurance level a quantitative expression of Assurance agreed between a Relying Party and an Identity Provider. ITU-T Y.IdMsec .
asymmetric authentication method A method of authentication, in which not all authentication information is shared by both entities. ITU-T Y.IdMsec, X.811 .
attribute a property or characteristic that can be used to determine a condition or quality of an entity. ITU-T Y.IdMsec .
attribute type That component of an attribute which indicates the class of information given by that attribute. X.501 .
attribute value A particular instance of the class of information indicated by an attribute type. X.501 .
audit (secret) An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures. X.800 .
authenticated identity a distinguishing identifier of a principal that has been assured through authentication. ITU-T Y.IdMsec, X.811 .
authentication The provision of assurance of the claimed identity of an entity. ITU-T Y.IdMsec, X.811 .
authentication certificate a security certificate that is guaranteed by an authentication authority and that may be used to assure the identity of an entity. ITU-T Y.IdMsec, X.811 .
authentication exchange a sequence of one or more transfers of exchange authentication information (AI) for the purposes of performing an authentication. ITU-T Y.IdMsec, X.811 information used to establish the validity of a claimed identity.
authentication information
  • information used to establish the validity of a claimed identity.
  • information used for authentication purposes.
  • ITU-T Y.IdMsec, X.800
  • ITU-T Y.IdMsec, X.811
.
authentication initiator the entity that starts an authentication exchange. ITU-T Y.IdMsec, X.811 .
authorization the granting of rights, which includes the granting of access based on access rights. ITU-T Y.IdMsec, X.800 .
authoritative in the context of IdM, the Identity Provider which posses the authority under law, contractual agreement, or customary practice to definitively answer queries concerning a specific identity for which it is responsible. ITU-T Y.IdMsec .
certificate (secret) A set of security-relevant data issued by a security authority or a trusted third party, together with security information which is used to provide the integrity and data origin authentication services for the data. X.800 .
claim An assertion made by a Claimant of the value or values of one or more Identity Attributes of a Digital Subject, typically an assertion which is disputed or in doubt. Identity Gang A Claim could just convey an identifier Another Claim might assert that a Digital Subject knows a given key. A set of Claims might convey personally identifying information. A claim might simply propose that a Digital Subject is part of a certain group. A claim might state that a Digital Subject has a certain capability. Claims may or may not be directed to specific Parties. A Claim is an association between a Claimant, a Digital Subject, and an Identity Attribute
claimant
  • an entity which is or represents a principal for the purposes of authentication. A claimant includes the functions necessary for engaging in authentication exchanges on behalf of a principal.
  • a Digital Subject representing a Party that makes a Claim
.
claim authentication information information used by a claimant to generate exchange AI needed to authenticate a principal. ITU-T Y.IdMsec, X.811 .
context A property that can be associated with a user attribute value to specify information that can be used to determine the applicability of the value. X.501 .
credential * The private part of a paired Identity assertion (user-id is usually the public part). The thing(s) that an Entity relies upon in an Assertion at any particular time, usually to authenticate a claimed Identity. Credentials can change over time and may be revoked. Examples include; a signature, a password, a drivers licence number (not the card itself), an ATM card number (not the card itself), data stored on a smart-card (not the card itself), a digital certificate, a biometric template.
  • Data that is transferred to establish the claimed identity of an entity.
Identity Dictionary There is no need to issue a new credential if an Identity already has one that can be used, is trusted and whose currency can be reconfirmed at each authentication such as an existing account, or a digital certificate from a trusted organisation. .
data origin authentication the corroboration that the source of data received is as claimed. ITU-T Y.IdMsec, X.800 .
delegation an act of transferring of privileges to perform some action on behalf of a principal from an entity that has them to another entity that does not have them. ITU-T Y.IdMsec .
digital identity
  • a digital representation of a set of Claims made by one Party about itself or another Digital Subject.
  • a set of claims made by one digital subject about itself or another digital subject.
  • the digital representation of the information known about a specific individual or organization
  • Identity Gang et al.
  • Cameron, CERIAS
  • CERIAS
  • A Digital Identity is just one set of Claims about a Digital Subject. For any given Digital Subject there will typically exist many Digital Identities .
  • A Digital Identity can be created on the fly when a particular identity transaction is desired, or persisted in a data store to provide a referenceable representation.
  • A Digital Identity may contain Claims made by multiple Claimants.
  • A Digital Identity may be signed by a Digital Identity Provider to provide assurance to a Relying Party.
digital identity provider an Agent that issues a Digital Identity. Identity Gang .
digital subject an Entity represented or existing in the digital realm which is being described or dealt with. Identity Gang Every Digital Subject has a finite, but unlimited number of Identity Attributes
directed identity a unifying identity metasystem must support both “omni-directional” identifiers for public entities and “unidirectional” identifiers for private entities .The Laws of Identity by Kim Cameron .
discovery an act of transferring of privileges to perform some action on behalf of a principal from an entity that has them to another entity that does not have them. ITU-T Y.IdMsec .
electronic identity The information about a registered entity, that the Identity Provider has chosen to represent the Identity of that entity. The eID includes a name or an identifier for the entity that is unique within the domain of the Identity Provider. TF-AACE .
enrolment The process of adding a Permission to an Identity. Identity Dictionary It may result in the issuing of a new identity or an additional account. The link between Registration and Enrolment must remain unbroken.
entity
  • anything that has separate and distinct existence that can be uniquely identified. In the context of IdM, examples of entities include subscribers, users, network elements, networks, software applications, services and devices. An entity may have multiple identifiers.
  • a person, physical object, animal, or juridical entity
  • An entity is anyone (natural or legal person) or anything that shall be characterised through the measurement of its attributes. (The choice was made to provisionally keep this definition open to any type of person (including legal persons, to facilitate e.g., eProcurement), but also to any other type of entity, such as objects (e.g., computers or other forms of machinery), digital resources or processes (e.g., programmes), as this allows abstraction to the largest common element and thus offers the largest number of applications. In order for its existence to be acknowledged, an entity needs to have at least one unique identity.
  • ITU-T Y.IdMsec
  • Identity Gang
  • Modinis
  • .
  • In an identity system implementation an Entity is abstract, conceptual, non-modelled.
federation * An established relationship among a domain of a single service provider or among NGN providers.
  • A federation is a collection of realms that have established a producer-consumer relationship whereby one realm can provide authorized access to a resource it manages based on an identity, and possibly associated attributes, that are asserted in another realm. A federation requires trust such that a Relying Party can make a well-informed access control decision based on the credibility of identity and attribute data that is vouched for by another realm.
ITU-T Y.IdMsec

FG IdM Use Case

.
federated identity
  • A single user identity that can be used to access a group of services or applications that are bounded by the ties and conditions of a federation.
  • A shared Identity and/or authentication, as the result of federation by either the Entity or by two or more organisations.
  • A collective term describing agreements standards and technologies that make identity and entitlements portable across autonomous domains
  • ITU-T Y.IdMsec


  • Identity Dictionary


  • The Burton Group
.
identification The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system. SP800 - 47

Appendix D

.
identifier
  • an identifier is a series of digits, characters and symbols or any other form of data used to identify subscriber(s), user(s), network element(s), function(s), network entity(ies) providing services/applications, or other entities (e.g., physical or logical objects).
  • a data object (for example, a string) mapped to a system entity that uniquely refers to the system entity. A system entity may have multiple distinct identifiers referring to it. An identifier is essentially a "distinguished attribute" of an entity.
  • either a "http" or "https" URI, (commonly referred to as a "URL" within this document), or an XRI (Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” .)
  • strings or tokens that are unique within a given scope (globally or locally within a specific domain, community, directory, application, etc.). Identifiers are the key used by the parties to an identification relationship to agree on the entity being represented. Identifiers may be classified as omnidirectional and unidirectional. Omnidirectional identifiers are intended to be public and easily discoverable, while unidirectional identifiers are intended to be private and used only in the context of a specific identity relationship. Identifiers may also be classified as resolvable or non-resolvable. Resolvable identifiers, such as a domain name or e-mail address, may be dereferenced into the entity they represent. Non-resolvable identifiers, such as a person's real-world name, or a subject or topic name, can be compared for equivalence but are not otherwise machine-understandable. There are many different schemes and formats for digital identifiers. The most widely used is Uniform Resource Identifier (URI) and its internationalized version Internationalized Resource Identifier (IRI)—the standard for identifiers on the World Wide Web. OpenID and Light-Weight Identity (LID) are two web authentication protocols that use standard HTTP URIs (often called URLs), for example. A new OASIS standard for abstract, structured identifiers, XRI (Extensible Resource Identifiers), adds new features to URIs and IRIs that are especially useful for digital identity systems. OpenID
  • an attribute or a set of attributes of an entity which uniquely identifies the entity within a certain context. (For the sake of clarity, identifiers consisting of one attribute are also characteristics; they distinguish an entity from other entities. An entity may have multiple distinct identifiers referring to it. Identifiers uniquely identify an entity, while characteristics do not need to. However, it should be noted that identifiers can consist of a combination of attributes, whereas characteristics are always one single attribute.)
  • ITU-T Y.2091
  • OASIS SAML 2.0
  • OpenID 1.1
  • Wikipedia
  • Modinis
Identifiers can be used for registration or authorization. They can be either public to all networks, shared between a limited number of networks or private to a specific network (private IDs are normally not disclosed to third parties.)
identity
  • the attributes by which an entity is described, recognized or known
  • the essence of an entity and often described by its characteristics
  • the essence of an entity [Merriam]. One's identity is often described by one's characteristics, among which may be any number of identifiers.
  • the fundamental concept of uniquely identifying an object (person, computer, etc.) within a context. That context might be local (within a department), corporate (within an enterprise), national (within the bounds of a country), global (all such object instances on the planet), and possibly universal (extensible to environments not yet known). Many identities exist for local, corporate, and national domains. Some globally unique identifiers exist for technical environments, often computer-generated.
  • ITU-T Y.IdMsec
  • Liberty Alliance
  • OASIS SAML 2.0
  • Open Group
.
identity attribute A property of a Digital Subject that may have zero or more values Identity Gang See also "attribute"
identity based security policy A security policy based on the identities and/or attributes of users, a group of users, or entities acting on behalf of the users and the resources/objects being accessed. X.800 .
identity context The surrounding environment and circumstances that determine meaning of Digital Identities and the policies and protocols that govern their interactions. Identity Gang .
identity information all the information identifying a user, including trusted (network generated) and/or untrusted (user generated) addresses. Identity information shall take the form of either a SIP URI (see RFC 2396) or a "tel" URI (see RFC 3966). ETSI TS 183 007 V1.1.1 (2006-03) .
identity defederation the action occurring when Providers agree to stop referring to a Principal via a certain set of identifiers and/or attributes. OASIS SAML 2.0 .
identity federation the act of creating a federated identity on behalf of a Principal. OASIS SAML 2.0 .
identity management Management by NGN providers of trusted attributes of an entity such as: a subscriber, a device or a provider. This is not intended to indicate positive validation of a person. ITU-T Y.IdMsec .
identity pattern A structured expression derived form behaviour that is associated with and describes an entity allowing it to recognized or known, identity patterns may be uniquely associated with an entity, or a class with which the entity is associated. TD 312 .
identity provider
  • a type of service provider that creates, maintains, and manages identity information for users/devices and provides user/device authentication .
  • an entity that creates, maintains, and manages trusted identity information for entities. An Identity Provider may include a Trusted Third Party. In the context of this NGN IdM, an Identity Provider makes available Identity Management capabilities pursuant to this recommendation to Relying Parties.
  • a service provider that authenticates a user and that creates, maintains, and manages identity information for users and asserts user authentication and other identity related information to other trusted service providers.
  • an entity in an AAI that performs Identity Management.
  • kind of service provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.
  • ITU-T Y.IdMsec
  • ITU-T Y.IdMsec
  • ITU-T Y.IdMsec
  • TF-AACE
  • OASIS SAML 2.0
ITU-T Q.15/13 currently lists three alternative definitions in the draft recommendation.
identity registration The process of making a person’s identity known to the (Personal Identity Verification) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system. FIPS 201 App. F .
interoperability the ability of independent systems to exchange meaningful information and initiate actions from each other, in order to operate together to mutual benefit. In particular, it envisages the ability for loosely-coupled independent systems to be able to collaborate and communicate; the possibility of use in services outside the direct control of the issuing assigner. ISO TC46/SC9 Identifier Interoperability Working Group Identifiers assigned in one context may be encountered, and may be re-used, in another place or time without consulting the assigner. Assumptions made on assignment may not be known to someone else.
layer network A "topological component" that represents the complete set of access groups of the same type which may be associated for the purpose of transferring information. ITU-T G.805, Y.2091 .
mutual authentication requirement that both the service provider and the user identify each other. Identity Dictionary .
metadata a relationship that someone claims to exist between two entities. The <indecs> Framework (www.indecs.org = Interoperability of Data in E-Commerce Systems). for those used to simpler definitions of metadata as simply “data about data”, note that these are synonymous: P says “data A is about data B” = “P claim that there is a relationship between A and B”. In computerised systems A and B must be denoted as a referent.
name a name is the identifier of an entity (e.g., subscriber, network element) that may be resolved/translated into an address ITU-T Y.2091 .
network transparency the ability of a protocol to transmit data over the network in a manner which is transparent to those using the applications that are using the protocol. Wikipedia .
non-repudiation The ability through historical logs and logical analysis to prevent or discourage an Entity from denying that it had acted as an Identity in a given transaction, especially in a legal sense. Identity Dictionary It may need to be based on a biometric and include encrypted audit trails to be successful in a court of law; otherwise the offender could be able to plead guilty to the lesser charge of leaving their password on a Post-It Note.
object A well-defined piece of information, definition, or specification which requires a name in order to identify its use in an instance of communication and identity management processing. X.680 .
owner the registered Entity for an Identity. Identity Dictionary An Entity owns an Identity (and therefore its access rights) due solely to the ability to authenticate it.
party a natural person or a juridical entity. Identity Gang .
path layer network A "layer network" which is independent of the transmission media and which is concerned with the transfer of information between path layer network "access points". ITU-T G.805 .
peer-entity authentication the corroboration that a peer entity in an association is the one claimed. ITU-T Y.IdMsec, X.810 .
persistent existing, and able to be used in services outside the direct control of the issuing assigner, without a stated time limit. DOI System, ISO TC46/SC9/WG7, WD 26324 .
persona a super-identity or ‘avatar’ of an entity; a persona may be the result of federating several existing identities. Identity Dictionary Literally means "mask" (greek). The result is intended to convey a special purpose or role, such as the incarnation of a higher being.
personna a prexisting Digital Identity that a user through an Agent has the ability to select and use to represent themselves in a given Identity Context. Identity Gang
  • Compare with "alias"
  • A Persona is something put forward by a user, but how it is perceived, recognized, accepted, rejected, trusted, used etc. by a Relying Party cannot be specified or in any way implied.
  • Often used when the set of Claims represents some role or virtual character animated by the Digital Subject.
policy a set of Rules, usually associated with a Role or other dynamic attributes. Identity Dictionary It is normally used for access provisioning and access reconciliation.
principal an entity whose identity can be authenticated. ITU-T Y.IdMsec, X.811 .
privacy
  • the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
  • a right to control the dissemination of the attributes of an entity.
.
privacy policy the policy statement that defines the rules for protecting personal privacy information ITU-T Y.IdMsec .
private (subscriber) identity An identity derived from the IMSI 3GPP TS 123 003 .
private identifier A Claimed Identifier that is intended to be private information used only the context of the End User’s relationship with one or more specific Relying Parties (typically one or a small number). The use of Private Identifiers reduces or eliminates the ability of multiple Relying Parties to do correlation of an End User. OpenID .
provisioning automatically providing an Identity with access to a role, resource or service, or automatically changing or removing that access, based on the life cycle of events or work requests or changed attributes. Identity Dictionary .
pseudonym A fictitious identity that an Entity creates for itself, whereby the Entity can remain pseudonymous, or prehaps even fully anonymous, in certain contexts. Identity Dictionary
  • Literally means "false name". It may be persistent or temporary. But it must be “persistent” if you will want to reuse it; this makes it difficult to remain fully anonymous because any details provided or collected over time may be joined with other details and republished.
  • Compare with "alias"
public (subscriber) identity either a SIP URI or a tel URI 3GPP TS 123 003 .
public service identifier either a SIP URI or a tel URI 3GPP TS 123 003 .
relying party
  • a Party that makes known through its Agent one or more alternative sets of Claims that it desires or requires, and receives through this same Agent a Digital Identity purportedly including the required Claims from a Digital Identity Provider or other Agent of another Party. [JoaquinM, DaveK, DickH, Johannes]
  • the entity that relies on the result of an authentication. Usually, but not always, the same as the authenticating party and service provider.
.
repudiation an ability to provide public notice of that identity credentials, identifiers, attributes, or patterns have been revoked or not valid. See RFC2560
  • Compare with "revocation"
  • For X.509 digital certificates, the principal means to provide repudiation notice is the Online Certificate Status Protocol (OCSP)
  • Repudiation is a highly important mechanism to provide users and other parties to provide notice arising from termination of an identity arising from identity theft, termination of privileges, death, etc.
revocation the act (by someone having the authority) of annulling something previously done. ITU-T Y.2701 .
security domain A set of elements, a security policy, a security authority and a set of security-relevant activities in which the elements are managed in accordance with the security policy. The policy will be administered by the security authority. A given security domain may span multiple security zones. ITU-T Y.2701 .
security zone this document defines 3 security zones, (1) trusted, (2) trusted but vulnerable, and (3) un-trusted. A security zone is defined by operational control, location, and connectivity to other device/network elements. ITU-T Y.2701 .
security domain authority. A security authority that is responsible for the implementation of a security policy for a security domain. ITU-T Y.IdMsec, X.810 .
symmetric authentication method A method of authentication in which both entities share common authentication information. ITU-T Y.IdMsec, X.811 .
relying party/service provider
  • a system entity that decides whether or not to take action based on information provided by another system entity, such as an Identity Provider.
  • an entity that relies upon the assertions from Identity Provider that it trusts, typically to process a transaction or grant access to information or a system.
ITU-T Y.IdMsec .
trail A "transport entity" which consists of an associated pair of "unidirectional trails" capable of simultaneously transferring information in opposite directions between their respective inputs and outputs. ITU-T G.805 This could be regarded as a “connection” trail to distinguish it from the “connectionless trail” defined in [ITU-T G.809].
transmission media layer network A "layer network" which may be media dependent and which is concerned with the transfer of information between transmission media layer network "access points" in support of one or more "path layer networks". ITU-T G.805 .
transport The functional process of transferring information between different locations. ITU-T G.805 .
transport entity An architectural component which transfers information between its inputs and outputs within a layer network. ITU-T G.805 .
transport network The functional resources of the network which conveys user information between locations. ITU-T G.805 In accordance with [G.805], the NGN context of the NGN transport stratum, the term transport has the wider scope than “transmission” or “first mile” access networks.
trust
  • a reasonable level of confidence that an entity will behave in a certain manner in a given context
  • entity X is said to trust entity Y for a set of activities if and only if entity X relies upon entity Y behaving in a particular way with respect to the activities.
  • an instance of a relationship between two or more entities, in which an entity assumes that another entity will act as authorised/expected.
  • Trust is an evaluation, by an entity, of the reliablity of an identity when the identity is involved in interactions.
  • ITU-T Y.IdMsec
  • ITU-T Y.2701
  • Onghome
The risk/trust relationship depends on who you are and what you want to do at any instance. The degrees of separation between parties can decrease the trust (increase the risk). The level of trust is typically based on the technical strength of the identity, but it also includes the evaluating entity's subjective considerations (e.g. feelings) of the reliability of the entity the identity represents. Trust is at least partially transitive (as in the case of notaries).
trusted but vulnerable zone From the viewpoint of a NGN provider a security zone where the network elements/devices are operated (provisioned and maintained) by the NGN provider. The equipment may be under the control by either the customer/subscriber or the NGN provider. In addition, the equipment may be located within or outside the NGN provider’s domain. They communicate with elements both in the trusted zone and with elements in the un-trusted zone, which is why they are “vulnerable”. Their major security function is to protect the NEs in the trusted zone from the security attacks originated in the un-trusted zone in a fail-safe manner. ITU-T Y.2701 .
trusted entity an entity that can violate a security policy, either by performing actions which it is not supposed to do, or by failing to perform actions which it is supposed to do. ITU-T Y.IdMsec, X.810 .
trusted identity information network generated user public identity information. ETSI TS 183 007 V1.1.1 (2006-03) .
trusted third party a security authority or its agent that is trusted with respect to some security relevant activities (in the context of a security policy). ITU-T Y.IdMsec, X.810 .
trusted zone From the viewpoint of a NGN provider a security domain where a NGN provider’s network elements and systems reside and never communicate directly with customer equipment. The common characteristics of NGN network elements in this domain are that they are under the full control of the related NGN provider, are located in the NGN provider premises (which provides physical security), and they communicate only with elements in the “trusted” domain and with elements in the “trusted-but-vulnerable” domain. ITU-T Y.2701 .
untrusted zone From the viewpoint of a NGN provider a zone that includes all network elements of customer networks or possibly peer networks or other NGN provider zones outside of the original domain, which are connected to the NGN provider’s border elements.

ITU-T Y.2701

.
user
  • a user includes end user [Y.2091], person, subscriber, system, equipment, terminal (e.g. FAX, PC), (functional) entity, process, application, provider, or corporate network.
  • an Identity where the identifier of the identity is the public part of a paired Identity assertion.
A user may have several identities / usernames / user-ids / logon-ids / sign-ons.
user identifiers identifiers that represent users in their interactions with other parties. Users may present their identifiers verbally, on paper, on plastic cards, or in any other appropriate manner. Electronic user identifiers are electronically presented over data communication channels by user-operated computing devices (client devices) such as PCs, laptops, mobile phones, and smartcards. Onghome .
verification authentication information (verification AI) Information used by a verifier to verify an identity claimed through exchange AI. ITU-T Y.IdMsec, X.811 .
verifier an entity which is or represents the entity requiring an authenticated identity. A verifier includes the functions necessary for engaging in authentication exchanges. ITU-T Y.IdMsec, X.811 .
Personal tools