Credential

From IDESG Wiki
Jump to: navigation, search

Definition

  1. A set of data presented as evidence of a claimed digital identifier or set of attributes.
  2. A set of data held by the user that allows presentation of evidence of a claimed digital identifier or set of attributes.

Notes

A certificate associated with a credential can establish a level of confidence in the attributes used in the identity claim as well as the security of the credential.

The security of some credentials, as defined in 1 above, like passwords, are not generally secure. The security of credentials that are not directly passed, as defined in 2 above, can be made arbitrarily secure.

Previous proposed definitions include:

  1. Attribute(s) presented as evidence of a claimed identity. (Taxonomy AHG)
  2. An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. (NIST 800-63)
  3. Some form of token presented to facilitate identification and authentication. (Wallace)
  4. Verified attributes presented as evidence of a claimed identity.(Faron)
  5. Evidence of possession of an attribute by an entity, provided during identity proofing and similar processes.(Fenton)
  6. Something that is verifiable and is presented as evidence of a claimed identity and/or entitlement.(Corwin)
  7. A credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so. (Wikipedia)
  8. A credential needs to be an unique property of an individual that cannot be transferred. (Tom Jones)

Open question: Is binding necessary, or preferred?

Sources

ITU-T X.1252

NIST 800-63: An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. While common usage often assumes that the credential is maintained by the Subscriber, this document also uses the term to refer to electronic records maintained by the CSP which establish a binding between the Subscriber’s token and identity.

W3C Credential Management Level 1

From a developer’s perspective, a credential is an object which allows a developer to make an authentication decision for a particular action. Various types of credentials are used or presented by the User Agent. A credential is effective for a particular site if it is accepted as authentication on that site. Even if a credential is effective at a particular point in time, the User Agent can’t assume that the same credential will be effective at any future time, for a couple reasons:

  1. A password credential may stop being effective if the account holder changes their password.
  2. A credential made from a token received over SMS is likely to only be effective for a single use.

Single-use credentials are generated by a credential source, which could be a private key, access to a federated account, the ability to receive SMS messages at a particular phone number, or something else. Credential sources are not exposed by the User Agent. To unify the model, we consider a password to be a credential source on its own, which is simply copied to create password credentials.

Status

MC Approved


Add a Comment

To add a comment, you will need to be logged on to the wiki. If you are logged on, click the button below to add a comment. The comment will be appended to the Discussion page for disposition by the reviewer. <inputbox> type=comment editintro=Comment_Instructions preload=Comment_Preload buttonlabel=Post a Comment on the Discussion Page default=Talk:Credential hidden=yes </inputbox>


Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |