Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Identity Glossary'

A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation
Glossary of Terms

Draft of 16 May 2009

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2009

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at


This file consolidates the definitions of terms in the author's 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation'.

Access control: the set of processes comprising Pre-Authentication, Enrolment, Authentication and Authorisation

Account: a set of Data-items which together define and describe an Identity, and which enable Identity Authentication and Authorisation processes to be performed

Agency: the capacity of a particular Identity or Entity to act on behalf of another particular Identity or Entity

Anonym: an Identifier which cannot be associated with any particular Entity, whether from the data itself, or by combining it with other data

Anonymity: a characteristic of an Identity, whereby it cannot be associated with any particular Entity, whether from the data itself, or by combining it with other data

Assertion: a proposition relating to a fact, the quality of a Data-item, the value of an Entity, the Location of an Entity, an Attribute of an Entity or an Identity (including Agency), , an Entity, or an Identity

Attribute: a characteristic, in particular of an Entity or an Identity

Authentication: a process that establishes a level of confidence in an Assertion

Authentication strength: the degree of confidence achieved in a particular Assertion as a result of an Authentication process

Authenticator: an item of evidence used in the Authentication process

Authorisation: the process whereby it is determined what Permissions or Privileges a particular Entity or Identity is permitted

Credential: an Authenticator that has physical or digital existence

Data-item: a discrete element of data

Data silo: a set of Records used for a particular purpose, and not linked to other sets of records relating to the same Entities or Identities

Digital persona: a Record that is sufficiently rich to provide the record-holder with an adequate image of the represented Entity or Identity

Enrolment: that part of the Registration process which establishes the means for an effective and efficient Authentication process on each subsequent occasion that the User seeks access

Entification: the process whereby data is associated with a particular Entity. This is achieved by acquiring an Entifier for the Entity

Entifier: a set of Data-items that are together sufficient to distinguish a particular entity from others in the same category

Entity: a real-world thing

Entity assertion: an assertion that an Entifier is being appropriately used, or that the Entity in question is who or what it purports or is inferred to be

Entity authentication: the process whereby a level of confidence is achieved in an Entity Assertion

Entity credential: a Credential that assists in the Entity authentication process

Entity silo: an Entifier that is used for a restricted purpose

Evidence of entity: an Authenticator that assists in the Entity authentication process

Evidence of identity: an Authenticator that assists in the Identity authentication process

General-purpose identifier: an Identifier that is available for use for any purpose (cf. Identity silo and Multi-purpose identifier)

Identification: the process whereby data is associated with a particular Identity. This is achieved by acquiring an Identifier for the Identity

Identifier: a set of Data-items that are together sufficient to distinguish a particular identity from others in the same category

Identity: a real-world thing, but of virtual rather than physical form

Identity assertion: an assertion that an Identifier is being appropriately used, or that the Identity in question is who or what it purports or is inferred to be

Identity authentication: the process whereby a level of confidence is achieved in an Identity Assertion

Identity credential: a Credential that assists in the Identity authentication process

Identity management: a generic term for architectures, infrastructure and processes that support the Authentication of Identity Assertions

Identity silo: an Identity, and its associated Identifier(s), which are used for a restricted purpose (cf. Multi-purpose identifier and General-purpose identifier)

Loginid: an Identifier that distinguishes a particular User from other Users and non-users

Multi-purpose identifier: an Identifier that is used for multiple purposes (cf. Identity silo and General-purpose identifier)

Nym: a generic term encompassing both Anonym and Pseudonym

Nymity: a generic term encompassing both Anonymity and Pseudonymity

Permission: a capability that an Entity or Identity is permitted to perform (a synonym for Privilege)

Pre-authentication: that part of the Registration process whereby the Assertion is tested that the Entity is an appropriate one to have an Identifier, Identity Authenticator(s) and Permissions created for it or assigned to it

Privilege: a capability that an Entity or Identity is permitted to perform (a synonym for Permission)

Pseudonym: an Identifier which may be able to be associated with a particular Entity, but only if legal, organisational and technical constraints are overcome

Pseudonymity: a characteristic of an Identity, whereby it may be able to be associated with a particular Entity, but only if legal, organisational and technical constraints are overcome

Record: a set of Data-items each of which relates to a particular Entity or Identity

Registration: the set of processes comprising Pre-Authentication and Enrolment

Simplified sign-on: a less ambitious and less insecure approach than Single sign-on, whereby a master-Account provides access to a number of Accounts rather than to all Accounts within a domain

Single sign-on: a service whereby each User has a single master-Account that enables access to all Accounts with all service-providers, or with all service-providers within some domain such such as that provided by their employer

Token: a recording medium on which an Entifier or Identifier may be recorded

User: an Entity that seeks access to system resources

Userid: a synomym for Loginid and Username

Username: a synonym for Loginid and Userid


The model and the definitions of terms draw on many years of both research and consultancy, and owe a great deal to many people, including my consultancy colleagues David Jonas, Ian Christofis, Ross Oakley and Kevin Jeffery.

An earlier version appeared in my monograph 'Identity Management: The Technologies, Their Business Value, Their Problems, and Their Prospects', published in 2004.

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 75 million in late 2024.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 16 May 2009 - Last Amended: 16 May 2009 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2024   -    Privacy Policy