Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2016


Roger Clarke's 'Id and Authentication Glossary'

Identification and Authentication
Glossary

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Professor, Baker & McKenzie Cyberspace Law & Policy Centre, University of N.S.W.

Visiting Professor, E-Commerce Programme, University of Hong Kong

Visiting Fellow, Department of Computer Science, Australian National University

This is an extract from a monograph on 'Identity Management: The Technologies, Their Business Value, Their Problems, and Their Prospects', of March 2004

Version of 9 May 2004

© Xamax Consultancy Pty Ltd, 2004

Available under an AEShareNet Free
for Education licence

This document is at http://www.rogerclarke.com/EC/IdAuthGloss.html


Access
The use by an Entity of a Capability in relation to a System Resource. The Entity that is afforded the Capability may be a Natural Person or an Artefact.
Access Control
The protection of System Resources against unauthorised Access. In particular, the application of Privileges and Restrictions accorded to Usernames or Roles, in accordance with an Access Control List (ACL).
Access Control List (ACL)
A data structure that enumerates Usernames and/or Roles, and possibly also groups of Usernames and/or Roles, together with the Permissions and Restrictions that they enjoy in relation to System Resources.
Account
A set of Data-Items held by an organisation, which relates to a particular Identity external to the organisation, and defines the relationship between the two parties.
An Individual or Business Enterprise may have multiple Accounts with any one organisation, to reflect the various Identities they adopt, or the various Roles that they play.
Agent
A Legal Entity that has the capacity to act on behalf of another Legal Entity. The Legal Entity that is represented is referred to as a Principal.
Anonym
An Identifier that cannot be associated with any particular Entity.
Anonymity
A characteristic of Records and Transactions, such that they cannot be associated with any particular Entity, whether from the data itself, or by combining it with other data.
Artefact
A human-made Entity. Artefacts include such devices as workstations, smart cards and robots, and software agents that exhibit more or less intelligent behaviour, and whose Entity or Identity may need to be subjected to Authentication.
Assertion
A statement that declares that one or more putative facts are true.
Attribute
A characteristic of a real-world Entity, Identity or Event. Attributes of a Natural Person include the person's gender, age-range, qualifications (such as being a registered counsellor), and capacity to act as an Agent for another Entity.
Authentication
The process of testing of an Assertion, in order to establish a level of confidence in the Assertion's reliability. Categories of Assertion that may be subjected to Authentication may refer to Agents, Attributes, Credentials, Data Integrity, Entities, Identities, Location, and/or Value.
Authentication Strength
The degree of confidence that is engendered by an Authentication process. Also referred to as Authentication Quality.
Authenticator
An item of Evidence used in the process of Authentication. It may comprise an ephemeral act such as the demonstration of knowledge (such as a Password or the maiden name of a person's mother), or the demonstration of the ability to perform a particular act (such as the writing of a signature); or it may have a physical or digital existence in the form of a Credential, including a Token or a Document.
Authorisation
A synonym for Permission.
Authorisation Process
A procedure for granting Permissions, which are then stored in an Access Control List.
Biometric
A measure of an Attribute of a Natural Person's physical self, or of their physical behaviour. In principle at least, a Biometric can be used as an Entifier for a Natural Person; as an Authenticator for an Assertion involving a human Entity; and as a means of restricting the use of a personalised Token to the appropriate Natural Person.
Business Enterprise
A for-profit organisation. It may be an incorporated body (in particular a corporation) recognised at law as a Legal Person, or may be unincorporated, and treated by the law as indistinguishable from the individuals who constitute it.
Call-Back
A technique whereby a System does not permit Access by a User directly, but only accepts from a User a request for Access, and then initiates a connection to a location previously recorded for that User (e.g. a telephone-number or IP-Address).
Candidate Key
One of more Data-Items within a Record or Transaction that potentially enables the Record or Transaction to be associated with a particular real-world Entity or Identity.
Challenge-Response
An Authentication technique whereby a System does not permit Access by a User, until the User has given the correct answer (or `response') to a question (or `challenge'). A Password is a form of Challenge-Response authentication. Other examples include requests for date of birth, invoicing address, and the most recent transaction on the User's account.
Credential
An Authenticator that has physical or digital existence. Examples include a Document and a Token. The concept of Credential does not include an ephemeral act such as demonstration of the possession of knowledge (such as a Password, or the person's mother's maiden name), nor the ability to perform an action (such as providing a written signature).
Data-Item
An element within a Record or Transaction.
Document
A Credential comprising writing or printing on paper, or its equivalent in electronic form. Examples include birth certificates, certificates of naturalisation, marriage certificates, passports, drivers' licences (and, in some jurisdictions, non-drivers' 'licences'), employer-issued building security cards, credit cards, club membership cards, statutory declarations, affidavits, letters of introduction, and invoices from utilities.
Enrolment
Alternative term for Registration.
Entifier
One or more data-items concerning an Entity that are sufficient to distinguish it from other Entities, and that are used to signify that Entity. For a Natural Person, an Entifier is of necessity a Biometric. A Legal Person does not have corporeal existence, and hence cannot have an Entifier. An Artefact may have an Entifier, e.g. a Processor-ID or the Network Interface Card (NIC) Id of an Ethernet card.
Entification
The process whereby data is associated with a particular Entity. It is performed through the acquisition of data that constitutes an Entifier for that Entity.
Entity
A real-world thing. Categories include objects, animals, Artefacts, Natural Persons, and Legal Persons (such as corporations, trusts, superannuation funds, and incorporated associations).
Entity Authentication
The process of testing an Assertion that data is associated with a particular Entity, in order to establish a level of confidence in the Assertion's reliability. In particular, the process of cross-checking a newly-acquired Entifier against a pre-recorded Entifier.
Event
An occurrence in the real world.
Evidence
Something that assists in resolving facts at issue.
Evidence of Identity (EOI)
Evidence that assists in Authentication of an Assertion relating to Identity. Sometimes referred to by the less appropriate term Proof of Identity.
Evidence of Ownership (EOO)
Evidence that assists in Authentication of an Assertion that a particular Entity is the appropriate possessor of a Credential. Sometimes referred to by the less appropriate term Proof of Ownership.
False Acceptance
A decision to accept an Assertion, which is not correct.
False Rejection
A decision to reject an Assertion, which is not correct.
Federated Identity Management
Performance of the Identity Management function by multiple organisations, in order to deliver a Single Sign-On service to multiple organisations.
Identification
The process whereby data is associated with a particular Identity. It is performed through the acquisition of data that constitutes an Identifier for that Identity.
Identifier
One or more data-items concerning an Identity that are sufficient to distinguish it from other Identities, and that are used to signify that Identity. Identifiers for Identities used by Natural Persons include names assigned by people. Identifiers also include `id numbers' or `id codes' issued by other Entities that the Entity interacts with. An Entity may be assigned many such numbers and codes. A Natural Person may use many Identifiers, including variants of names. A Legal Person may have many names (e.g. associated with business units, divisions, branches, trading-names, trademarks and brandnames), and multiple `id numbers' and `id codes' assigned by other Entities that the Entity interacts with.
Identity
A particular presentation of an Entity. An Identity may correspond to a Role played by the Entity. An Identity may be used by the Entity in its dealings with one other Entity, or with many other Entities. An organisation may maintain an Account within its records that corresponds to an Identity.
Identity Authentication
The process of testing an Assertion that data is appropriately associated with a particular Identity, in order to establish a level of confidence in the Assertion's reliability. In particular, the process of cross-checking, against additional Evidence of Identity (EOI), the Identity signified by an Identifier acquired during an Identification process.
Identity Management
A set of processes that enable the Authentication of Assertions relating to Identity. The term is often used in a more restrictive sense, however, to apply to the specific context of online access over open public networks.
Identity Management System
A system that provides a cluster of services relating to Identity Management. The central service is Authentication. The system may also support other services, such as Pre-Authentication, Authorisation, Single Sign-On, Identity repository management, a synchronisation management facility, user self-service registration, user self-service capabilities, and audit.
Individual
A Natural Person.
Legal Entity
An Entity that is recognised at law as having the capacity to act.
Legal Person
A Legal Entity that is recognised at law, but is not a Natural Person. Examples include corporations, incorporated associations and trusts. Some government agencies are Legal Persons, in particular those established under statute, and those formed under the Corporations Law. All other government agencies form part of a single Legal Person called a body politic, such as the Commonwealth of Australia, and the State of N.S.W. A Legal Person may perform Roles, including as Agent for other Legal Entities.
Login
An action by an Entity whereby they seek Access to System Resources. Usually involves the provision of a Username/Password pair to an Access Control System.
LoginId
Alternative term for User Name.
Multi-Factor Authentication
An Authentication process in which multiple forms of Evidence are used, in order to increase the level of confidence in the Assertion. In the case of Identity Authentication, this involves two or more of the following: an additional Identifier provided by the person; knowledge demonstrated by the person (`something you know'); an act performed by the person (something you can do); a Credential provided by the person (`something you have'); or a Biometric surrendered by the person (`something you are' or something you do).
Natural Person
A human being, and a particular category of Legal Entity. Distinguished from a Legal Person. A Natural Person performs social, economic and political functions in various Roles, e.g. as citizens, consumers, sole traders, and members of partnerships and unincorporated solutions; and as Agents both for other Natural Persons and for Legal Persons.
Nym
A generic term encompassing both Anonym and Pseudonym.
Nymity
A generic term encompassing both Anonymity and Pseudonymity.
Password
A form of Challenge-Response Authentication in which a string of characters is used to assist in the Authentication of the Assertion that a person has the right to use a Username. The effectiveness of the technique is predicated on the assumption that the Password is known only by the appropriate Entity (and, in less secure schemes, also by the System conducting the Authentication).
Permission
A Capability, associated with a Username, which enables Access to System Resources. It is usually recorded in an Access Control List (ACL). Authorisation and Privilege are used as synonyms for Permission.
Persistent Nym
A Nym that is capable of being used on a continuing basis, to support a succession of communications.
Pre-Authentication
A series of steps undertaken during a Registration process, to simplify subsequent Authentication processes. The steps include the collection of Evidence in order to establish a level of confidence in an Assertion. It may involve the issue of a Credential. The term is commonly used to refer to Pre-Authentication of Identity, resulting in the issue of some kind of Token. It is equally applicable, however, to Attribute and Agency Authentication.
Principal
The Legal Entity on whose behalf an Agent acts.
Privacy
The interests that Natural Persons have in sustaining a 'personal space', free from interference by other people and organisations, and in controlling information about themselves. It has multiple dimensions, including privacy of the physical person, privacy of personal behaviour, privacy of personal communications, and privacy of personal data. A variety of privacy rights are conferred by international instruments, and by the laws of most jurisdictions. The term is often used in a misleading manner by security specialists, as a synonym for what they also call 'data confidentiality', or even to refer merely to the protection of the content of data during transmission.
Privilege
A synonym for Permission and for Authorisation.
Profile
Data associated with a Username. It is intended that the data reflect Attributes of the Entity issued with the particular Username that are useful in enhancing the service provided to it.
Proof of Identity (POI)
Evidence that is determinative of truth in relation to an Assertion relating to Identity. Such a concept is inconsistent with the notion of risk-managed security. Hence the concept of Evidence of Identity is to be strongly preferred.
Proof of Ownership (POO)
Evidence that is determinative of truth in relation to an Assertion that a particular Entity is the appropriate possessor of a Credential. The concept is inconsistent with the notion of risk-managed security. Hence the concept of Evidence of Ownership is to be strongly preferred.
Pseudonym
An Identifier that cannot be associated with any particular Entity unless legal, organisational and technical constraints are overcome.
Pseudonymity
A characteristic of Records and Transactions, such that they cannot be associated with any particular Entity, unless legal, organisational and technical constraints are overcome.
Record
A collection of Data-Items, expressed in the abstract world in order to represent an Entity or Identity in the real world.
Registration
A process comprising a series of steps intended to simplify subsequent Authentication processes. Also referred to as Enrolment. One important aspect is Pre-Authentication.
Relying Party
An Entity that relies on an Assertion. Of particular importance is an Assertion that another Assertion (e.g. of Value, Identity, Attribute or Agency) has been subjected to particular Pre-Authentication or Authentication processes.
Restriction
A limitation on a capability associated with a Username in respect of System Resources. It is typically recorded in an Access Control List.
Role
A pattern of behaviour adopted by an Entity. An Entity may adopt one Identity in respect of each Role, or may use the same Identity when performing multiple Roles. Examples of Roles played by Legal Entities include seller and buyer, supplier and receiver, debtor and creditor, payer and payee, principal and agent, franchisor and franchisee, lessor and lessee, copyright licensor and licensee, employer and employee, contractor and contractee, trustee and beneficiary, tax-assessor and tax-assessee, business licensor and licensee, plaintiff and respondent, investigator and investigatee, and prosecutor and defendant.
Role-Based Access Control (RBAC)
An approach to Access Control whereby Usernames are associated with Roles (or functional positions), within an organisation or process, rather than with individual Users.
Silo Identity Management
Performance of the Identity Management function by an organisation in order to deliver a Single Sign-On service within a single organisation.
Simplified Sign-On
A system that reduces the number of Passwords that Users have to remember in order to gain Access to multiple systems.
Single Sign-On
A system that enables an Entity to Access multiple sets of System Resources after being authenticated just once (e.g. by keying a Username/Password pair). The concept originated within organisations, but is capable of being applied across multiple organisations as well.
System Resource
A Resource, Access to which is provided by an Access Control System. Examples of System Resources include data-files, data-records within data-files, Data-Items within data-records, software and specific services provided by software.
Three-Factor Authentication
A form of Multi-Factor Authentication. It is most commonly described as involving `something you know', `something you have', and `something you are'.
Token
A Credential issued by a Legal Entity to another Legal Entity in which a third Entity places some degree of trust. A Token is designed to provide a relatively high level of confidence in some kind of Assertion, and is likely to include security features intended to render it difficult to forge, and tying it in some manner with the particular Entity. Examples include `identity cards'(especially `photo-id'), turnaround documents, tickets issued to Natural Persons required to wait in a queue, and smartcards and `dongles' designed to be used in conjunction with standalone and networked workstations.
Transaction
A collection of Data-Items, expressed in the abstract world in order to represent an Event in the real world.
Two-Factor Authentication
A form of Multi-Factor Authentication. It is most commonly described as involving `something you know', and `something you have'.
User
In the context of Usernames and Access Control, a Natural Person who seeks Access to System Resources.
Username
A string of characters that is issued to an Identity, and is included within an Access Control List, and which thereby has Permissions, and is subject to Restrictions, in relation to Access to System Resources. Also referred to as LoginID and User ID. Normally used in conjunction with a Password or PIN, and possibly also a Token, in order to enable Authentication. Usernames are often treated as thought they constitute an Identifier. This is inadvisable.
Validation
The process of establishing the truth of an Assertion. Also referred to as Verification. The concept is inconsistent with the notion of risk-managed security. Hence the concept of Authentication is to be strongly preferred.
Verification
The process of establishing the truth of an Assertion. Also referred to as Validation. The concept is inconsistent with the notion of risk-managed security. Hence the concept of Authentication is to be strongly preferred.


xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 8 October 2001 - Last Amended: 9 May 2004 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/IdAuthGloss.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2013   -    Privacy Policy