ISO IEC 24760-1:2011 pdf – Information technology一Security techniques一A framework for identity management- Part 1: Terminology and concepts
ISO IEC 24760-1:2011 pdf – Information technology一Security techniques一A framework for identity management- Part 1: Terminology and concepts.
3.3 Authenticating an identity
formalized process of verification (3.2.2) that, if successful, results in an authenticated identity (3.3.2) for an entity (3.1.1)
NOTE 1 The authentication process involves tests by a venfiei’ of one or more identity attributes provided by an entity to ctetenmne, with the required level of assurance, their correctness.
NOTE 2 AuthenticatIon typically involves the use of a policy to specify a required level of assurance for the result of a successful completion.
NOTE 3 Identification is usually done as authentication to obtain a specific level of assurance m the result
identity information (3.2.4) for an entity (3.1.1) created to record the result of authentication (3.3.1)
NOTE 1 An authenticated identity typicaty contains information obtained si the authentication process. e.g. the level of assurance attained.
NOTE 2 The existence of an authenticated identity m a particular domain denotes that an entity has been recognized in that domain.
NOTE 3 An authenticated identity typicaly has a lifespan restricted by an authentication policy.
identity information authority hA
entity (3.1.1) related to a particular domain (3.2.3) that can make provable statements on the validity and/or correctness of one or more attribute (3.1.3) values in an identity (3.12)
NOTE I An identity information authoflty is typically associated with the domali, for instance the domain of origin, in
which the atinbutes, which the IlA can make assertions on, have a particular significance, NOTE 2 The activity of an identity information authority may be subject to a policy on privacy protection.
NOTE 3 An entity can combine th. functions of identity information provider and identity Information authority.
identity information provider
identity provider lip
entity (3.1.1)that makes available identity information (3.2.4)
NOTE Typical operations performed by an identity information provider are to create and maintar identity information for entities known m a particular domain. An identity Information provider and an identity information authority may be the same entity.
representation of an identity (3.1.2)
NOTE I A credential is typically made to facilitate data authentication of the identity information in the identity it represents.
NOTE 2 The identity information represented by a credential can be pnnted on paper or stored within a physical token that typically has been prepared ii a manner to assert the information as valid.
EXAMPLE A credential can be a username, usemame with a password, a PIN. a smartcard, a token, a fingerprint, a passport, etc
process to make an .ntlty (3.1.1) known within a particular domain (3.2.3)
NOTE I Enrolment leads to identity registration. Identity proofing Is typically performed to establish the identity information to be registered for a particular entity.
NOTE 2 In general enrolment collates and creates identity information for storage m an identity register to be used in subsequent identification of the entity in the domain It Is the start of the lifecycle of an identity In the domain for an entity
evidence of identity
identity information (3.2.4) for an entity (3.1.1) required for authentication (3.3.1) of that entity (3.1.1)
NOTE Identity evidence indudes the presented and gathered information related to a daimant that is needed for a successful authenticatloit Any such information may be part of the authenticated Identity for the claimant.
identity register IMS register
repository of IdentIties (3.1.2) for different entItles (3.1.1)
NOTE 1 A typical identity register is indexed by a referenc identifier.
NOTE 2 The identity inlormation authority in a particular domain typically uses its own identity register. However, an identity register may be shared between related domains, e.g. within the same commercial entity.
NOTE 3 The reliability of the Identity Information In an Identity register is determined by the authentication policies used during enrolrneni
process of recording an entity’s (3.1.1) identity information (3.2.4) in an identity register (3.4.5)
tool used during enrolment (3.4.3) to provide a fresh unique value for a reference IdentIfier (3.1.6)
EXAMPLE A database management system can be the reference identifier generator when assigns a unique record number to a new record being added to a table and the record number is used as reference identifier.
Identity (3.1.2) for use in multiple domains (3.2.3). which together form an Identity federatIon (3.5.2)
NOTE 1 A federated identity may be )ointly managed by Identity information providers of the federated domains NOTE 2 The shared attributes used in the federated domains may in particular be used for identification. e.g to support sine-sIgn-on (SSO).
NOTE 3 The federated Identity may persist or may be a temporary One. e.g. as single-sign-on Identity.