Identity Management

Identities

The term Identity is used here to mean the representation of an entity in a given context, where an entity is something that has a distinct existence and can be uniquely identified (e.g. a person or an organisation). This representation takes the form of a defined collection of entity attributes or distinctive characteristics (ISO/IEC Second CD 24760, 2010). These attributes and characteristics are also collectively referred to as personally identifiable information (PII).

In line with this use of the term, a recent draft of ITU-T X.1250 (ITU-T X.1250 (X.idmreq), 2009) defines identity as the “Representation of an entity (or group of entities) in the form of one or more information elements which allow the entity(s) to be uniquely recognised within a context to the extent that is necessary (for the relevant applications).”

Whilst, in principle, every entity has a ‘whole’ identity that consists of all its distinctive attributes, subsets of these attributes can form different ‘partial’ identities in different contexts. An identifier is a unique label for an object, that can be used to refer to an entity in a specific context (e.g. a username that refers to a user’s digital account) (ISO/IEC Second CD 24760, 2010). We can consider an identifier as a special attribute of an entity that must be unique within its context of use. Figure 1 shows the relationship between entities, identities and identifiers. As shown in the figure, an identity is a representation of a subset of all possible attributes of a given entity. Attributes can be shared by different identities of a given entity.

Figure 1.

Relationship between entities, identities and identifiers

Identification can be defined as a “process to determine that presented identity information associated with a particular entity is sufficient for the entity to be recognised in a particular domain” (ISO/IEC Second CD 24760, 2010). A representation of an identity in a digital system is called a digital identity. Henceforth, ‘identity’ is used to mean ‘digital identity’ unless we explicitly state otherwise.

Figure 2 shows a possible identity lifecycle which includes five steps, namely: provision, propagate, use, maintain, and deprovision (Windley, 2005). In the provision step, an identity is created by defining an identity record that includes the correct attributes. This step involves identity registration to allow an entity to be known within a particular domain of applicability. This requires an initial entity authentication to be performed, i.e. a particular form of authentication based on identity evidence, performing which is a necessary condition for the identity record to be created (ISO/IEC Second CD 24760, 2010). This identity record can be propagated to other systems or subsystems (e.g. a database system) in the propagate step. After being provisioned and propagated, the identity record can be used by authorised entities in the use step. The identity record can be updated and its information can be changed in the maintain step, where the identity record must be repropagated after being updated. Finally, the identity record is deleted in the deprovision step.

Figure 2.

Digital identity lifecycle

In 2008, the Organisation for Economic Co-operation and Development (OECD) published a document specifying certain Properties of Identity (OECD, At a Crossroads: “Personhood” and Digital Identity in the Information Society, 2008). These properties apply to ‘personal identities’ (i.e. identities that belong to individual humans), and for each property the OECD (OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980) describes how the OECD privacy guidelines apply to it. We list below these identity properties, along with their OECD descriptions.