credential

"identifier credential": A data object that is a portable representation of the association between an identifier and a unit of authentication information, and that can be presented for use in verifying an identity claimed by an entity that attempts to access a system. Example: X.509 public-key certificate. (See: anonymous credential.)

"authorization credential": A data object that is a portable representation of the association between an identifier and one or more access authorizations, and that can be presented for use in verifying those authorizations for an entity that attempts such access. Example: X.509 attribute certificate. (See: capability token, ticket.)

"Data that is transferred to establish the claimed identity of an entity." [I7498-2]

Deprecated Definition: IDOCs SHOULD NOT use the term with definition 3. As explained in the tutorial below, an authentication process can involve the transfer of multiple data objects, and not all of those are credentials.

"An object that is verified when presented to the verifier in an authentication transaction." [M0404]

Deprecated Definition: IDOCs SHOULD NOT use the term with definition 4; it mixes concepts in a potentially misleading way. For example, in an authentication process, it is the identity that is "verified", not the credential; the credential is "validated". (See: validate vs. verify.)

Tutorial: In general English, "credentials" are evidence or testimonials that (a) support a claim of identity or authorization and (b) usually are intended to be used more than once (i.e., a credential's life is long compared to the time needed for one use). Some examples are a policeman's badge, an automobile driver's license, and a national passport. An authentication or access control process that uses a badge, license, or passport is outwardly simple: the holder just shows the thing.

The problem with adopting this term in Internet security is that an automated process for authentication or access control usually requires multiple steps using multiple data objects, and it might not be immediately obvious which of those objects should get the name "credential".

For example, if the verification step in a user authentication process employs public-key technology, then the process involves at least three data items: (a) the user's private key, (b) a signed value -- signed with that private key and passed to the system, perhaps in response to a challenge from the system -- and (c) the user's public-key certificate, which is validated by the system and provides the public key needed to verify the signature.

• Private key: The private key is not a credential, because it is never transferred or presented. Instead, the private key is "authentication information", which is associated with the user's identifier for a specified period of time and can be used in multiple authentications during that time.
• Signed value: The signed value is not a credential; the signed value is only ephemeral, not long lasting. The OSIRM definition could be interpreted to call the signed value a credential, but that would conflict with general English.
• Certificate: The user's certificate is a credential. It can be "transferred" or "presented" to any person or process that needs it at any time. A public-key certificate may be used as an "identity credential", and an attribute certificate may be used as an "authorization credential".