Saturday, August 23, 2007, 05:30 SGT (updated)

Digital Identity Glossary

Agent. A computer system or device that has been delegated (authority, responsibility, a function, etc.) by and acts for a legal entity/party (in exercising the authority, carrying out the responsibility, performing the function, etc.). [Identity Gang: JoaquinM, X.911, PaulT] [See also: client device.]

anonym. An anonym is an anonymous identifier. This means that the the identifier is not linked to it's owning legal entity. So long as there is some information that links an identifier to its owning legal entity, it is not an anonym — at best, the identifier can be a pseudonym. [See also: anonymous identity, nym, pseudonym.]

Anonymity. Anonymity is an attribute of an identity within an interaction which indicates if the identity is anonymous or unanonymous. [See also: Wikipedia on Anonymity.]

Anonymous Identity. An anonymous identity is an identity that is not bound or linked to an entity. [See also: anonym.]

Authentication. (1) Authentication is the process of validating that it is indeed the owning entity that is using or deploying the owned identity in an interaction. (2) Authentication is the process whereby confidence is established in an assertion of identity. It is performed by cross-checking against one or more authenticators. [Source: Roger Clarke.] (3) Authentication is the act of verifying that identity, where a verification consists in establishing, to the satisfaction of the verifier, that the sign signifies the entity. [Source: Stephen Downes.]

Notes: (a) Just because you know that the owner is also the user or deployer of the identity, doesn't imply that the identity is unanonymously bound to the entity — authenticated identities can be anonymous identities. The stronger the authentication, the higher the confidence that the user of the identity is its owner. (b) At it's root, authentication is just proof of identity based on information exchange. [See At the Core of Authentication.] [See also: Identification.]

Authenticator. An authenticator is something which determines authenticity or which guarantees validity. An authenticator is usually an object, a piece of knowledge, or some characteristic of it's possessor. It is typically uniquely in the possession of an entity so that the entity can prove it's authenticity, in an interaction, by demonstrating that it has possession of the authenticator. [See also: identifier.]

Broker. A broker is an entity represented by an unanonymous identity that serves to facilitate two or more anonymous identities in an interaction. [See also: Identity Ontology Taxonomy .]

Broker Group. A broker group is a group of entities which together act as a broker.

Claim. An assertion made by a claimant of the value or values of one or more identity attributes of a digital subject, typically an assertion which is disputed or in doubt. [Identity Gang: KimC, BenL, PeterD, ScottC, PaulT]

Notes: My hypothesis: claim = identifier.

Claimant. A digital subject representing a party that makes a claim. [Identity Gang]

Client Device. A client device is a networked entity which a user employs to access resources on the network. A client device has at least one identity (e.g. an IP address) separate from it's users' identities. A client device's identities can be anonymous or not. A client device is not a legal entity, but the identities of the client device is sometimes used to represent a legal entity (which is usually a bad idea because the device then cannot be shared). A client device can also act as a server, so long as it has at least one unanonymous identity on-line. Examples of client devices are PC's, laptop computers, wireless PDA's, phones, Blackberries. [See also: agent.]

Context. (1) The surrounding environment and circumstances that determine meaning of digital identities and the policies and protocols that govern their interactions. [Identity Gang: DaveK, PaulT] (2) A context is a sphere of activity, a geographical region, a communication platform, an application, a logical or physical domain. [Source: Stefan Brands.] Practically, a context is only relavent in an interaction. (3) A context might also be referred to as presence. [Source: Jaco Aizenman.] [Same as: identity context.]

Digital Identity. [Same as: identity.]

Digital Identity Provider. [Same as: identity provider.]

Digital Subject. An entity represented or existing in the digital realm which is being described or dealt with. [Identity Gang: originally from Kim's Laws, "person or thing" replaced with entity by PaulT]

Entity. (1) An entity is a human person, a non-human legal entity (e.g. a company, a government), a virtual artifact (e.g. a computer process, an application, a text file), a tangible object (e.g. a book, a device, a tree), a location (e.g. a town, a CPU memory address), or a grouping of other entities (e.g. an organization). (2) A person, physical object, animal, or juridical entity. In an identity system implementation an entity is abstract, conceptual, non-modelled. [Identity Gang] [See also: Legal Entity.] [See also: Wikipedia on Digital Identity.] [See also: Wikipedia on Entity.]

Notes: In order for it's existence to be acknowledged, an entity needs to have at least one unique identity.

Group. A group is a collection or organization of objects (entities, identities, etc.). All groups are also entities.

Interaction. (1) An interaction is an event involving two or more entities, via their identities. Each participating identity in an interaction is either anonymous or unanonymous to the interaction. (2) An interaction could also be referred to as a projection. [Source: Jaco Aizenman.] (3) Synonym to identity context. The surrounding environment and circumstances that determine meaning of identities and the policies and protocols that govern their interactions. [See also:] Note: We avoid the term transaction because it has a strict definition in the database world.

Identification. (1) Identification is the process whereby data is associated with a particular identity. It is performed by acquiring an identifier. [Source: Roger Clarke.] (2) Within a designated context, identifiers enable relying parties to distinguish between the entities they interact with. This is known as identification. [Source: Stefan Brands.] (3) Identification is the act of claiming an identity, where an identity is a set of one or more signs signifying a distinct entity. [Source: Stephen Downes.] [See also: Authentication.]

Identifier. (1) An identifier is information that names or indicates an entity or grouping of entities. [Source: Stefan Brands.] (2) An identifier is a signifier for an identity ; it is one or more data items that distinguishes an identity from other identities. Examples of identifiers: names, id-numbers, usernames, MAC addresses, IP-addresses, Social Security numbers. [Source: Roger Clarke.]

Notes: (a) For a typical login account, the user-id is the identifier and the password is the authenticator. (b) My hypothesis: claim = identifier. (c) Sometimes an identifier cannot sufficiently disambiguate between two entities in the larger universe, but is sufficient within a smaller group/organization. To tell the difference between two entities with the same identifier, one needs to use unique identifiers. E.g. a name is a non-unique identifier; E.g. in the universe of the USA, SSN's are unique identifiers (but not authenticators as they are often times used).

Identifier Directionality. [Needed?] For two participating entities in an interaction, identifier directionality indicates the anonymity of the identities of each of the entities in the interaction. Identifiers (in two-way interactions) are omnidirectional (both parties are unanonymous), unidirectional (one party is anonymous, the other is not), or nondirectional (both parties are anonymous; needs a broker). [See also: Identity Ontology Taxonomy.]

Identity. (1) An identity is a set of information that is attributable to a given entity. [Source: Wikipedia on Digital Identity.] (2) Identity is a presentation or role of an entity. [Source: Roger Clarke.] (3) An identity is the set of the properties of an entity that allows the entity to be distinguished from other entities. (4) a digital representation of a set of claims made by one party about itself or another digital subject. [Source: Kim Cameron.] [Identity Gang: originally from Kim's Laws, ScottL, PaulT, BobWyman]

Notes: (a) An identity is just one set of claims about a digital subject. For any given digital subject there will typically exist many identities. [PaulT] (b) An identity can be created on the fly when a particular identity transaction is desired, or persisted in a data store to provide a referenceable representation [ScottL, Drummond, MaryRuddy] (c) An identity may contain claims made by multiple claimants. [DickH] (d) An identity may be signed by a digital identity provider to provide assurance to a relying party [ConorC] (e) My hypothesis: identity = persona. See Identity or Persona? (f) Identities are owned by their entities. Identities have several key identity attributes, including: anonymity, strength, owning entity.

Identity Attribute. A property of a digital subject that may have zero or more values. [Identity Gang: adapted from Wikipedia, DaveK, JoaquinM]

Notes: What this lexicon calls an identity attribute is what is generally known as an "attribute" (name, first name, shoe size, social security number, religion, marital status, etc.) in digital form (so it's attached to a Digital Subject). The attributes exist whether or not they have a value and whether or not they're part of a Claim. [DaveK]

Identity Context. [Same as: context.]

Identity Provider. (1) An identity provider is an entity which issues identitiers to other entities. A typical identity provider is an internet site which manages its own directory of accounts of its users. (2) An agent that issues an identity. [Identity Gang: PaulT, ScottL] The agent is acting on behalf of an issuing party. [PaulT] [See also: notary.]

Legal Entity. A legal entity is an entity that can be a party to legal contracts. [See also: Wikipedia on Legal Entity.] By definition, all persons, all legally registered companies, and all countries are legal entities. [Same as: party]

Notary. A notary is an entity which can attest to the authenticity of an identifier within an interaction. [See also: identity provider.]

Nym. A nym is an identifier that cannot be readily linked to the underlying entity. An anonym can't. A pseudonym can't easily. [Source: Roger Clarke.]

Party. A natural person or a juridical entity. [Same as: legal entity] [Identity Gang: PaulT, JoaquinM]

Persona. A prexisting identity a user, through an agent, has the ability to select and use to represent himself in a given identity context. [Identity Gang: PaulT, DaveK, IainH, TonyN, Kim, Drummond, Johannes, Luke, Jaco, PTOng, PeterD].

Notes: My hypothesis: identity = persona. See Identity or Persona?

Privacy. Privacy is the ability of a person to control the availability of information about and exposure of himself or herself. It is related to being able to function in society anonymously (including pseudonymous or blind credential identification). [Source: Wikipedia on Privacy.]

Pseudonym. A pseudonym is a fictitious name (or identifier) used by an individual as an alternative to their legal name. In some cases, the pseudonym has become the legal name of the person using it. Practically, a pseudonym is an identifier which is not immediately associated to an entity. [See also: anonym, nym.]

Relationship. A relationship is a function which results in a measurement (true/false, yes/no, integer, etc.) when applied to two or more identities (not entities).

Relying Party. A party that makes known through its agent one or more alternative sets of claims that it desires or requires, and receives through this same agent an identity purportedly including the required claims from an identity provider or other agent of another party. [Identity Gang: JoaquinM, DaveK, DickH, Johannes]

Role. A role is a set of capabilities that it's possessor has.

Server. A server is a networked entity with at least one unanonymous identity that represents a legal entity. A server is intended to be always connected to the network, and providing one or more services to other network entities.

Strength. Strength is an attribute of an identity within an interaction which gives a technical basis upon which to believe that the specified entity is represented by the identity. [See also: Strong Identities Can Be Anonymous.]

Trust. Trust is an evaluation, by an entity, of the reliablity of an identity when the identity is involved in an interaction. [See also: Trust is an Emotion.] The level of trust is typically based on the technical strength of the identity, but it also includes the evaluating entity's subjective considerations (e.g. feelings) of the reliability of the entity the identity represents. Trust is at least partially transitive (as in the case of notaries).

Unanonymous Identity. An unanonymous identity is an identity that is linked to an entity in a way that the linkage can easily be discovered.

Notes: An example of an unanonymous identity is one with an email identifier that looks like

Unique Identifier. An unique identifier is an identifier that is unique in the universe of that class of identifiers, and it can belong to exactly one entity

Notes: If the unique identifiers are ever "recycled", then they are not unique identifiers temporally — at any one point in time, it might be able to distinguish between all the entities in the group, but it would not be so effective in historical databases/logs. Depending on IT policy, email addresses are one such example. E.g. fifteen years ago might belong to a different person/entity than it does now.

User. A user is a human entity who can only access the network via a client device.

User Identifiers. [Redundant] User identifiers are identifiers that represent users in their interactions with other parties. [Derived from: Stefan Brands.]

Notes: Users may present their identifiers verbally, on paper, on plastic cards, or in any other appropriate manner. Electronic user identifiers are electronically presented over data communication channels by user-operated computing devices (client devices) such as PCs, laptops, mobile phones, and smartcards.

See Also

  1. The Identity Gang's Lexicon
  2. Allan Milgate, The Identity Dictionary: an Identipedia
  3. definitions page
  4. Wikipedia on Digital Identity
  5. SAML 2.0 Glossary [pdf]
  6. Dan Blum, Burton Group, Identity Concepts and Definitions [pdf]
  7. Roger Clarke, Identification and Authentication Fundamentals
  8. Modinis IDM, Common Terminological Framework for Interoperable Electronic Identity Management
  9. ISO/ITU X.911 Information Technology — Open Distributed Processing — Reference Model — Enterprise Language - definitions in section 6.5 [pdf]
  10. Allan Milgate, The Identity Dictionary
  11. Andreas Pfitzmann and Marit Hansen, Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management - A Consolidated Proposal for Terminology


  1. Oct 1, 2005: Consider replacing identity with persona (see
  2. April 15, 2007: Synchronize definititions with those in the Identity Gang's Lexicon
  3. May 14, 2007: Example to distinguish identity from authenticator. Added to authentication and anonym.
  4. August 23, 2008: Finally fixed for relocation of to

Sunday, May 13, 2007, 11:45 PM PDT (updated)

Saturday, April 23, 2005, 7:06 PM (created)