identity

The collective aspect of a set of attribute values (i.e., a set of characteristics) by which a system user or other system entity is recognizable or known. (See: authenticate, registration. Compare: identifier.)

Usage: An IDOC MAY apply this term to either a single entity or a set of entities. If an IDOC involves both meanings, the IDOC SHOULD use the following terms and definitions to avoid ambiguity:

• "Singular identity": An identity that is registered for an entity that is one person or one process.
• "Shared identity": An identity that is registered for an entity that is a set of singular entities (1) in which each member is authorized to assume the identity individually and (2) for which the registering system maintains a record of the singular entities that comprise the set. In this case, we would expect each member entity to be registered with a singular identity before becoming associated with the shared identity.
• "Group identity": An identity that is registered for an entity (1) that is a set of entities (2) for which the registering system does not maintain a record of singular entities that comprise the set.

Tutorial: When security services are based on identities, two properties are desirable for the set of attributes used to define identities:

• The set should be sufficient to distinguish each entity from all other entities, i.e., to represent each entity uniquely.
• The set should be sufficient to distinguish each identity from any other identities of the same entity.

The second property is needed if a system permits an entity to register two or more concurrent identities. Having two or more identities for the same entity implies that the entity has two separate justifications for registration. In that case, the set of attributes used for identities must be sufficient to represent multiple identities for a single entity.

Having two or more identities registered for the same entity is different from concurrently associating two different identifiers with the same identity, and also is different from a single identity concurrently accessing the system in two different roles. (See: principal, role-based access control.)

When an identity of a user is being registered in a system, the system may require presentation of evidence that proves the identity's authenticity (i.e., that the user has the right to claim or use the identity) and its eligibility (i.e., that the identity is qualified to be registered and needs to be registered).

The following diagram illustrates how this term relates to some other terms in a PKI system: authentication information, identifier, identifier credential, registration, registered user, subscriber, and user.

Relationships: === one-to-one, ==> one-to-many, <=> many-to-many. +- - - - - - - - - - - - - - - - - - - - - - - - - - + | PKI System |

• • • • • • | +------------------+ +-------------------------+ | | User, | | |Subscriber, i.e., | | Identity of Subscriber | | |i.e., one| | | Registered User, | | is system-unique | | | of the | | | is system-unique | | +---------------------+ | | |following| | | +--------------+ | | | Subscriber | | | | | | | | User's core | | | | Identity's | | | | +-----+ |===| | Registration | |==>| | Registration data | | | | |human| | | | | data, i.e., | | | |+-------------------+| | | | |being| | | | | an entity's | | | || same core data || | | | +-----+ | | | |distinguishing|========|for all Identities || | | | or | | | | attribute | | | || of the same User || | | | +-----+ | | | | values | | +===|+-------------------+| | | | |auto-| | | | +--------------+ | | | +---------------------+ | | | |mated| | | +------------------+ | +------------|------------+ | | |pro- | | | | +=======+ | | | |cess | | | +-------v----|----------------------|------------+ | | +-----+ | | | +----------v---+ +------------v----------+ | | | or | | | |Authentication|<===>|Identifier of Identity | | | |+-------+| | | | Information | | is system-unique | | | || a set || | | +--------------+ +-----------------------+ | | || of || | | Identifier Credential that associates unit of | | || either|| | | Authentication Information with the Identifier | | |+-------+| | +------------------------------------------------+ |
• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • -+