Roger Clarke's 'Id and Authentication Glossary'
Roger
Clarke
Principal,
Xamax
Consultancy Pty Ltd, Canberra
Visiting Professor,
Baker
& McKenzie Cyberspace Law & Policy Centre,
University
of N.S.W.
Visiting Professor,
E-Commerce
Programme,
University
of Hong Kong
Visiting Fellow,
Department
of Computer Science,
Australian
National University
This is an extract from a monograph on
'Identity
Management: The Technologies, Their Business Value, Their Problems, and Their
Prospects', of March 2004
Version of 9 May 2004
©
Xamax Consultancy Pty Ltd, 2004
Available under an AEShareNet licence
This document is at http://www.rogerclarke.com/EC/IdAuthGloss.html
- Access
- The use by an Entity of a Capability in relation to a System Resource. The
Entity that is afforded the Capability may be a Natural Person or an Artefact.
- Access Control
- The protection of System Resources against unauthorised Access. In
particular, the application of Privileges and Restrictions accorded to
Usernames or Roles, in accordance with an Access Control List (ACL).
- Access Control List (ACL)
- A data structure that enumerates Usernames and/or Roles, and possibly also
groups of Usernames and/or Roles, together with the Permissions and
Restrictions that they enjoy in relation to System Resources.
- Account
- A set of Data-Items held by an organisation, which relates to a particular
Identity external to the organisation, and defines the relationship between the
two parties.
-
- An Individual or Business Enterprise may have multiple Accounts with any
one organisation, to reflect the various Identities they adopt, or the various
Roles that they play.
- Agent
- A Legal Entity that has the capacity to act on behalf of another Legal
Entity. The Legal Entity that is represented is referred to as a Principal.
- Anonym
- An Identifier that cannot be associated with any particular Entity.
- Anonymity
- A characteristic of Records and Transactions, such that they cannot be
associated with any particular Entity, whether from the data itself, or by
combining it with other data.
- Artefact
- A human-made Entity. Artefacts include such devices as workstations, smart
cards and robots, and software agents that exhibit more or less intelligent
behaviour, and whose Entity or Identity may need to be subjected to
Authentication.
- Assertion
- A statement that declares that one or more putative facts are true.
- Attribute
- A characteristic of a real-world Entity, Identity or Event. Attributes of
a Natural Person include the person's gender, age-range, qualifications (such
as being a registered counsellor), and capacity to act as an Agent for another
Entity.
- Authentication
- The process of testing of an Assertion, in order to establish a level of
confidence in the Assertion's reliability. Categories of Assertion that may be
subjected to Authentication may refer to Agents, Attributes, Credentials, Data
Integrity, Entities, Identities, Location, and/or Value.
- Authentication Strength
- The degree of confidence that is engendered by an Authentication process.
Also referred to as Authentication Quality.
- Authenticator
- An item of Evidence used in the process of Authentication. It may comprise
an ephemeral act such as the demonstration of knowledge (such as a Password or
the maiden name of a person's mother), or the demonstration of the ability to
perform a particular act (such as the writing of a signature); or it may have
a physical or digital existence in the form of a Credential, including a Token
or a Document.
- Authorisation
- A synonym for Permission.
- Authorisation Process
- A procedure for granting Permissions, which are then stored in an Access
Control List.
- Biometric
- A measure of an Attribute of a Natural Person's physical self, or of their
physical behaviour. In principle at least, a Biometric can be used as an
Entifier for a Natural Person; as an Authenticator for an Assertion involving
a human Entity; and as a means of restricting the use of a personalised Token
to the appropriate Natural Person.
- Business Enterprise
- A for-profit organisation. It may be an incorporated body (in particular a
corporation) recognised at law as a Legal Person, or may be unincorporated, and
treated by the law as indistinguishable from the individuals who constitute it.
- Call-Back
- A technique whereby a System does not permit Access by a User directly, but
only accepts from a User a request for Access, and then initiates a connection
to a location previously recorded for that User (e.g. a telephone-number or
IP-Address).
- Candidate Key
- One of more Data-Items within a Record or Transaction that potentially
enables the Record or Transaction to be associated with a particular real-world
Entity or Identity.
- Challenge-Response
- An Authentication technique whereby a System does not permit Access by a
User, until the User has given the correct answer (or `response') to a question
(or `challenge'). A Password is a form of Challenge-Response authentication.
Other examples include requests for date of birth, invoicing address, and the
most recent transaction on the User's account.
- Credential
- An Authenticator that has physical or digital existence. Examples include
a Document and a Token. The concept of Credential does not include an
ephemeral act such as demonstration of the possession of knowledge (such as a
Password, or the person's mother's maiden name), nor the ability to perform an
action (such as providing a written signature).
- Data-Item
- An element within a Record or Transaction.
- Document
- A Credential comprising writing or printing on paper, or its equivalent in
electronic form. Examples include birth certificates, certificates of
naturalisation, marriage certificates, passports, drivers' licences (and, in
some jurisdictions, non-drivers' 'licences'), employer-issued building security
cards, credit cards, club membership cards, statutory declarations, affidavits,
letters of introduction, and invoices from utilities.
- Enrolment
- Alternative term for Registration.
- Entifier
- One or more data-items concerning an Entity that are sufficient to
distinguish it from other Entities, and that are used to signify that Entity.
For a Natural Person, an Entifier is of necessity a Biometric. A Legal Person
does not have corporeal existence, and hence cannot have an Entifier. An
Artefact may have an Entifier, e.g. a Processor-ID or the Network Interface
Card (NIC) Id of an Ethernet card.
- Entification
- The process whereby data is associated with a particular Entity. It is
performed through the acquisition of data that constitutes an Entifier for that
Entity.
- Entity
- A real-world thing. Categories include objects, animals, Artefacts,
Natural Persons, and Legal Persons (such as corporations, trusts,
superannuation funds, and incorporated associations).
- Entity Authentication
- The process of testing an Assertion that data is associated with a
particular Entity, in order to establish a level of confidence in the
Assertion's reliability. In particular, the process of cross-checking a
newly-acquired Entifier against a pre-recorded Entifier.
- Event
- An occurrence in the real world.
- Evidence
- Something that assists in resolving facts at issue.
- Evidence of Identity (EOI)
- Evidence that assists in Authentication of an Assertion relating to
Identity. Sometimes referred to by the less appropriate term Proof of Identity.
- Evidence of Ownership (EOO)
- Evidence that assists in Authentication of an Assertion that a particular
Entity is the appropriate possessor of a Credential. Sometimes referred to by
the less appropriate term Proof of Ownership.
- False Acceptance
- A decision to accept an Assertion, which is not correct.
- False Rejection
- A decision to reject an Assertion, which is not correct.
- Federated Identity Management
- Performance of the Identity Management function by multiple organisations,
in order to deliver a Single Sign-On service to multiple
organisations.
- Identification
- The process whereby data is associated with a particular Identity. It is
performed through the acquisition of data that constitutes an Identifier for
that Identity.
- Identifier
- One or more data-items concerning an Identity that are sufficient to
distinguish it from other Identities, and that are used to signify that
Identity. Identifiers for Identities used by Natural Persons include names
assigned by people. Identifiers also include `id numbers' or `id codes' issued
by other Entities that the Entity interacts with. An Entity may be assigned
many such numbers and codes. A Natural Person may use many Identifiers,
including variants of names. A Legal Person may have many names (e.g.
associated with business units, divisions, branches, trading-names, trademarks
and brandnames), and multiple `id numbers' and `id codes' assigned by other
Entities that the Entity interacts with.
- Identity
- A particular presentation of an Entity. An Identity may correspond to a
Role played by the Entity. An Identity may be used by the Entity in its
dealings with one other Entity, or with many other Entities. An organisation
may maintain an Account within its records that corresponds to an Identity.
- Identity Authentication
- The process of testing an Assertion that data is appropriately associated
with a particular Identity, in order to establish a level of confidence in the
Assertion's reliability. In particular, the process of cross-checking, against
additional Evidence of Identity (EOI), the Identity signified by an Identifier
acquired during an Identification process.
- Identity Management
- A set of processes that enable the Authentication of Assertions relating to
Identity. The term is often used in a more restrictive sense, however, to
apply to the specific context of online access over open public networks.
- Identity Management System
- A system that provides a cluster of services relating to Identity
Management. The central service is Authentication. The system may also
support other services, such as Pre-Authentication, Authorisation, Single
Sign-On, Identity repository management, a synchronisation management facility,
user self-service registration, user self-service capabilities, and audit.
- Individual
- A Natural Person.
- Legal Entity
- An Entity that is recognised at law as having the capacity to act.
- Legal Person
- A Legal Entity that is recognised at law, but is not a Natural Person.
Examples include corporations, incorporated associations and trusts. Some
government agencies are Legal Persons, in particular those established under
statute, and those formed under the Corporations Law. All other government
agencies form part of a single Legal Person called a body politic, such as the
Commonwealth of Australia, and the State of N.S.W. A Legal Person may perform
Roles, including as Agent for other Legal Entities.
- Login
- An action by an Entity whereby they seek Access to System Resources.
Usually involves the provision of a Username/Password pair to an Access Control
System.
- LoginId
- Alternative term for User Name.
- Multi-Factor Authentication
- An Authentication process in which multiple forms of Evidence are used, in
order to increase the level of confidence in the Assertion. In the case of
Identity Authentication, this involves two or more of the following: an
additional Identifier provided by the person; knowledge demonstrated by the
person (`something you know'); an act performed by the person (something you
can do); a Credential provided by the person (`something you have'); or a
Biometric surrendered by the person (`something you are' or something you do).
- Natural Person
- A human being, and a particular category of Legal Entity. Distinguished
from a Legal Person. A Natural Person performs social, economic and political
functions in various Roles, e.g. as citizens, consumers, sole traders, and
members of partnerships and unincorporated solutions; and as Agents both for
other Natural Persons and for Legal Persons.
- Nym
- A generic term encompassing both Anonym and Pseudonym.
- Nymity
- A generic term encompassing both Anonymity and Pseudonymity.
- Password
- A form of Challenge-Response Authentication in which a string of characters
is used to assist in the Authentication of the Assertion that a person has the
right to use a Username. The effectiveness of the technique is predicated on
the assumption that the Password is known only by the appropriate Entity (and,
in less secure schemes, also by the System conducting the Authentication).
- Permission
- A Capability, associated with a Username, which enables Access to System
Resources. It is usually recorded in an Access Control List (ACL).
Authorisation and Privilege are used as synonyms for Permission.
- Persistent Nym
- A Nym that is capable of being used on a continuing basis, to support a
succession of communications.
- Pre-Authentication
- A series of steps undertaken during a Registration process, to simplify
subsequent Authentication processes. The steps include the collection of
Evidence in order to establish a level of confidence in an Assertion. It may
involve the issue of a Credential. The term is commonly used to refer to
Pre-Authentication of Identity, resulting in the issue of some kind of Token.
It is equally applicable, however, to Attribute and Agency Authentication.
- Principal
- The Legal Entity on whose behalf an Agent acts.
- Privacy
- The interests that Natural Persons have in sustaining a 'personal space',
free from interference by other people and organisations, and in controlling
information about themselves. It has multiple dimensions, including privacy of
the physical person, privacy of personal behaviour, privacy of personal
communications, and privacy of personal data. A variety of privacy rights are
conferred by international instruments, and by the laws of most jurisdictions.
The term is often used in a misleading manner by security specialists, as a
synonym for what they also call 'data confidentiality', or even to refer merely
to the protection of the content of data during transmission.
- Privilege
- A synonym for Permission and for Authorisation.
- Profile
- Data associated with a Username. It is intended that the data reflect
Attributes of the Entity issued with the particular Username that are useful in
enhancing the service provided to it.
- Proof of Identity (POI)
- Evidence that is determinative of truth in relation to an Assertion
relating to Identity. Such a concept is inconsistent with the notion of
risk-managed security. Hence the concept of Evidence of Identity is to be
strongly preferred.
- Proof of Ownership (POO)
- Evidence that is determinative of truth in relation to an Assertion that a
particular Entity is the appropriate possessor of a Credential. The concept is
inconsistent with the notion of risk-managed security. Hence the concept of
Evidence of Ownership is to be strongly preferred.
- Pseudonym
- An Identifier that cannot be associated with any particular Entity unless
legal, organisational and technical constraints are overcome.
- Pseudonymity
- A characteristic of Records and Transactions, such that they cannot be
associated with any particular Entity, unless legal, organisational and
technical constraints are overcome.
- Record
- A collection of Data-Items, expressed in the abstract world in order to
represent an Entity or Identity in the real world.
- Registration
- A process comprising a series of steps intended to simplify subsequent
Authentication processes. Also referred to as Enrolment. One important aspect
is Pre-Authentication.
- Relying Party
- An Entity that relies on an Assertion. Of particular importance is an
Assertion that another Assertion (e.g. of Value, Identity, Attribute or Agency)
has been subjected to particular Pre-Authentication or Authentication processes.
- Restriction
- A limitation on a capability associated with a Username in respect of
System Resources. It is typically recorded in an Access Control List.
- Role
- A pattern of behaviour adopted by an Entity. An Entity may adopt one
Identity in respect of each Role, or may use the same Identity when performing
multiple Roles. Examples of Roles played by Legal Entities include seller and
buyer, supplier and receiver, debtor and creditor, payer and payee, principal
and agent, franchisor and franchisee, lessor and lessee, copyright licensor and
licensee, employer and employee, contractor and contractee, trustee and
beneficiary, tax-assessor and tax-assessee, business licensor and licensee,
plaintiff and respondent, investigator and investigatee, and prosecutor and
defendant.
- Role-Based Access Control (RBAC)
- An approach to Access Control whereby Usernames are associated with Roles
(or functional positions), within an organisation or process, rather than with
individual Users.
- Silo Identity Management
- Performance of the Identity Management function by an organisation in order
to deliver a Single Sign-On service within a single
organisation.
- Simplified Sign-On
- A system that reduces the number of Passwords that Users have to remember
in order to gain Access to multiple systems.
- Single Sign-On
- A system that enables an Entity to Access multiple sets of System Resources
after being authenticated just once (e.g. by keying a Username/Password pair).
The concept originated within organisations, but is capable of being applied
across multiple organisations as well.
- System Resource
- A Resource, Access to which is provided by an Access Control System.
Examples of System Resources include data-files, data-records within
data-files, Data-Items within data-records, software and specific services
provided by software.
- Three-Factor Authentication
- A form of Multi-Factor Authentication. It is most commonly described as
involving `something you know', `something you have', and `something you are'.
- Token
- A Credential issued by a Legal Entity to another Legal Entity in which a
third Entity places some degree of trust. A Token is designed to provide a
relatively high level of confidence in some kind of Assertion, and is likely to
include security features intended to render it difficult to forge, and tying
it in some manner with the particular Entity. Examples include `identity
cards'(especially `photo-id'), turnaround documents, tickets issued to Natural
Persons required to wait in a queue, and smartcards and `dongles' designed to
be used in conjunction with standalone and networked workstations.
- Transaction
- A collection of Data-Items, expressed in the abstract world in order to
represent an Event in the real world.
- Two-Factor Authentication
- A form of Multi-Factor Authentication. It is most commonly described as
involving `something you know', and `something you have'.
- User
- In the context of Usernames and Access Control, a Natural Person who seeks
Access to System Resources.
- Username
- A string of characters that is issued to an Identity, and is included
within an Access Control List, and which thereby has Permissions, and is
subject to Restrictions, in relation to Access to System Resources. Also
referred to as LoginID and User ID. Normally used in conjunction with a
Password or PIN, and possibly also a Token, in order to enable Authentication.
Usernames are often treated as thought they constitute an Identifier. This is
inadvisable.
- Validation
- The process of establishing the truth of an Assertion. Also referred to as
Verification. The concept is inconsistent with the notion of risk-managed
security. Hence the concept of Authentication is to be strongly preferred.
- Verification
- The process of establishing the truth of an Assertion. Also referred to as
Validation. The concept is inconsistent with the notion of risk-managed
security. Hence the concept of Authentication is to be strongly preferred.
Created: 8 October 2001 -
Last Amended: 9 May 2004
by Roger Clarke
- Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/IdAuthGloss.html
Mail to Webmaster -
© Xamax Consultancy Pty Ltd, 1995-2022 -
Privacy Policy