ISO/IEC 24760-1:2011/FDAmd 1

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
Deleted:
ISO/IEC JTC 1/SC 27 N18388
Date: 2018-06-01
ISO/IEC 24760-1:2011/FDAM 1:2018(E)
ISO/IEC JTC 1/SC 27/WG 5
Secretariat: DIN
Information technology—Security techniques—A framework for identity management—
Part 1: Terminology and Concepts—Amendment 1: Additional terminology and concepts
Technologies de l'information—Techniques de sécurité—Cardre pour la gestion Field Code Changed
d'identité—Partie 1: Terminologie et concepts—Amendement 1:Terminologie et
Formatted: Font: 12 pt, Bold, Font
color: Black, French (Switzerland)
concepts additionels
Deleted: terminology
Deleted: le
Formatted: French (Switzerland)
Deleted: ¶
¶
¶
i © ISO/IEC 2018 All rights reserved

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
Deleted:
Copyright notice
This ISO document is a working draft or committee draft and is copyright‐protected by ISO. While the
reproduction of working drafts or committee drafts in any form for use by participants in the ISO
standards development process is permitted without prior permission from ISO, neither this
document nor any extract from it may be reproduced, stored or transmitted in any form for any other
purpose without prior written permission from ISO.
Requests for permission to reproduce this document for the purpose of selling it should be addressed
as shown below or to ISO's member body in the country of the requester:
ISO copyright office
Case postale 56 • CH‐1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E‐mail copyright@iso.org
Web www.iso.org
Reproduction for sales purposes may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
Deleted: ¶
Section Break (Continuous)
Deleted: © ISO/IEC 2017 All rights reserved¶
ii © ISO/IEC 2018 All rights reserved

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
Deleted:
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non‐governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1. Deleted:
Deleted:
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the Deleted:
different types of document should be noted. This document was drafted in accordance with the
Deleted:
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Deleted:
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Field Code Changed
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and Deleted: on
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT)
see www.iso.org/iso/foreword.html. Deleted: the following URL:
Field Code Changed
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
A list of all parts in the ISO/IEC 24760 series can be found on the ISO website. Deleted:
Deleted: 2
iii © ISO/IEC 2018 All rights reserved

FINAL DRAFT AMENDMENT ISO/IEC 24760-1 Am 1 FDAM:2018(E)

Information technology—Security techniques—A framework for
identity management—Part 1: Terminology and Concepts—
Amendment 1: Additional terminology and concepts
Normative references
Add the following normative reference:
Deleted:
ISO/IEC 24760‐2, Information technology — Security techniques — A framework for identity
management — Part 2: Reference architecture and requirements
Deleted: :2015
Deleted: —
Deleted: —
3.1.1
Deleted: —Part2
Replace with the following:
Deleted:
Deleted: Terms and definitions¶

3.1.1 Deleted:
entity
item relevant for the purpose of operation of a domain (3.2.3) that has a separate and distinct existence
Note 1 to entry: An entity may have a physical or a logical embodiment.
EXAMPLE A person, an organization, a device, a group of such items, a human subscriber to a telecom service, a
Deleted:
SIM card, a passport, a network interface card, a software application, a service or a website.

3.1.3
Remove Note 3 to the terminological entry. Deleted:

3.1.3
Replace with the following:
3.1.3 Deleted:
attribute
characteristic or property of an entity (3.1.1)

1 © ISO/IEC 2018 All rights reserved

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
Deleted:
3.1.4
Replace with the following:
3.1.4 Deleted:
identifier
attribute or set of attributes(3.1.3) that uniquely characterizes an identity (3.1.2) in a domain (3.2.3)
Note 1 to entry: An identifier may be a specifically created attribute with a value assigned to be unique within the
Deleted:
domain.
3.1.5
Replace with the following:
3.1.5 Deleted:
domain of origin
domain (3.2.3) where an attribute (3.13) value was created or its value has been (re)assigned
Note 1 to entry: The domain of origin may be provided as meta data for an attribute.
Note 2 to entry: The domain of origin typically specifies the meaning and format of the attribute value. Such
specification may be based on international standards.
Note 3 to entry: An attribute may contain an explicit value that references the domain of origin, e.g. an ISO country
code for a passport number as reference to the issuing country that is the domain of origin of identity information
in the passport.
Note 4 to entry: Operationally, a domain of origin may be available as an authoritative source for an attribute
(sometimes known as the Attribute Authority). An authoritative source may be operated outside the actual
domain of origin. Multiple authoritative sources may exist for the same domain of origin.
EXAMPLE The domain of origin of a club‐membership number is the specific club that assigned the number. Deleted:

3.1.7
Add new terminological entry as follows:

3.1.7 Deleted:
principal
Deleted:
subject
entity (3.1.1) of which identity information is stored and managed by an identity management system
(3.4.8)
2 © ISO/IEC 2018 All rights reserved

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
Note 1 to entry: Typically, in a context of privacy protection or where a principal is seen as having agency a
principal refers to a person.
[SOURCE: ISO/IEC 24760‐2:2015, 3.4, modified — The sense of the word “pertains” has been clarified Deleted: by clarifying
and Note 1 has been reworded.]
Deleted: ‘pertains’
Deleted: by rewording the note

3.2.2
Replace with the following:
3.2.2 Deleted:
verification
process of establishing that identity information (3.2.5) associated with a particular entity (3.1.1) is Deleted:
correct
Note 1 to entry: Verification typically involves determining which attributes are needed to recognize an entity in a
domain, checking that these required attributes are present, that they have the correct syntax, and exist within a
defined validity period and pertain to the entity.

3.2.3
Remove DA as admitted term. Deleted: Removing
Deleted: ¶
© ISO/IEC 2018 All rights reserved 3

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
Deleted:
3.3
Change the title as follows: Deleted: to “
3.3  Authenticating identity information Deleted: ”

3.3.1
Remove Note 3 to the terminological entry.

3.3.5
Replace with the following:
3.3.5 Deleted:
credential
representation of an identity (3.1.2) for use in authentication (3.2.1)
Note 1 to entry: As described in 5.4, customary embodiments of a credential are very diverse. To accommodate
this wide range, the definition adopted in this document is very generic.
Note 2 to entry: A credential is typically made to facilitate data authentication of the identity information
pertaining to the identity it represents. Data authentication is typically used in authorization.
Note 3 to entry: The identity information represented by a credential can, for example, be printed on human‐
readable media, or stored within a physical token. Typically, such information can be presented in a manner
designed to reinforce its perceived validity.
Note 4 to entry: A credential can be a username, username with a password, a PIN, a smartcard, a token, a
fingerprint, a passport, etc.
3.3.9
Delete the terminological entry.

Deleted:
3.3.9
identity assurance
(withdrawn)
3.4.2
Replace with the following:
4 © ISO/IEC 2018 All rights reserved

ISO/IEC 24760-1 Am 1 FDAM:2018(E)

3.4.2 Deleted:
identity proofing
verification (3.2.2) based on identity evidence (3.4.4) aimed at achieving a specific level of assurance
Note 1 to entry: Identity proofing is typically performed as part of enrolment. Identity evidence may also be
needed during maintenance of registered identity information, e.g. recovery of a user account.
Note 2 to entry: Typically identity proofing involves a verification of provided identity information and may
include uniqueness checks, possibly based on biometric techniques.
Note 3 to entry: Verification for identity proofing is usually based on an enrolment policy that includes
specification of the verification criteria of the identity evidence to be provided by the entity.
Note 4 to entry: The verified identity information obtained when performing identity proofing may be included in
the registration and may serve to facilitate future identification of the entity.

3.4.3
Deleted: and delete note 2
Replace Note 1 with the following text:
Note 1 to entry: Enrolment typically comprises the collection and validation of identity information for Deleted:
identification of an entity and the collection of the identity information required for identity registration
(3.4.6), followed by identity registration itself.
Delete Note 2 to the terminological entry.

3.4.4
Replace with the following:
3.4.4 Deleted:
identity evidence
Deleted:
evidence of identity
information that can support validating identity information
Note 1 to entry: Identity evidence is the presented and gathered information related to an entity that provides the
attributes needed for a successful identification or authentication at a specific (high) level of assurance.

3.4.5
Replace the definition with the following text:
repository of identities (3.1.2)
Replace Note 3 with the following text: Deleted: ¶
Deleted:
© ISO/IEC 2018 All rights reserved 5

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
Deleted:
Note 3 to entry: The reliability of the identity information in an identity register is determined by the identity Deleted:
proofing policies used during enrolment.

3.4.6
Add “registration” as an admitted term.

3.4
Add new terminological entries as follows: Moved (insertion) [1]
Deleted: Add new terminological entries as

follows: ¶
3.4.8 Deleted:
identity management system
mechanism comprising of policies, procedures, technology and other resources for maintaining identity
information including associated metadata
Note 1 to entry: An identity management system is typically used for identification or authentication of entities. It
can be deployed to support other automated decisions based on identity information for an entity recognized in
the domain for the identity management system.
Deleted: [SOURCE: ISO/IEC 24760‐2:2015,
3.3, modified — “of application” has been
deleted after “domain” in the Note 1 to entry.]¶
¶
6 © ISO/IEC 2018 All rights reserved

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
3.4.9 Deleted:
registration authority
Deleted:
RA
entity (3.1.1) related to a particular domain (3.2.3) responsible for enrolment (3.4.3), identity proofing
(3.4.2) and identity registration (3.4.6)
3.4.10 Deleted: ¶
credential issuer
Deleted:
entity (3.1.1) responsible for provisioning of a credential (3.3.5) to a principal (3.1.7) in a specific
domain (3.2.3)
Note 1 to entry: A credential provisioned by an issuer can have a physical form, e.g. a membership (smart) card.
Note 2 to entry: The issuance of a credential for a principal can be recorded as an attribute for the principal, e.g. by
recording the unique number of the token issued.
Note 3 to entry: A credential provisioned by an issuer may be a username and password. A credential in the form
of a smart card or similar secure device, can be configured to validate a password off‐line.
Deleted: ¶
3.4.11
credential service provider
Deleted:
CSP
Deleted:
trusted entity (3.1.1) related to a particular domain (3.2.3) responsible for management of credentials
(3.3.5) issued in that domain
Note 1 to entry: It is possible that a CSP acts as credential issuer (3.4.10).
Deleted: )
3.5.1
Replace with the following:
3.5.1 Deleted:
federated identity
identity (3.1.2) for use in multiple domains (3.2.3)
Note 1 to entry: Some or all of the domains where a federated identity can be used may be formally joined as an
identity federation. Identity information providers of domains in the federation may jointly manage a federated
identity.
Note 2 to entry: The federated identity can be persistent or be a temporary one.
Deleted: persistant
3.5.3
Delete the terminological entry.

© ISO/IEC 2018 All rights reserved 7

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
Deleted:

3.5.3 Deleted:
single-sign-on identity
(withdrawn)
8 © ISO/IEC 2018 All rights reserved

ISO/IEC 24760-1 Am 1 FDAM:2018(E)
3.6.4
Delete the terminological entry for “anonymity” and replace with the following: Deleted: :.

3.6.4 Deleted:
ephemeral identifier
identifier (3.1.4) with a restricted validity period
Note 1 to entry: Typically, an ephemeral identifier is provided to a subject as a cryptographic credential to
represent an authenticated identity.
Note 2 to entry: Typically, an ephemeral identifier can only be verified in the domain that created it, possibly also
in domains federated with this domain.

3.6
Moved up [1]: Add new
terminological entries as follows:¶
Add new terminological entry as follows:

3.6.5 Deleted:
blinded affirmation
principle of identity management (3.4.1) of not providing identity information (3.2.4) for an entity to a
third party except a statement that the entity is known in a domain
Note 1 to entry: Blinded affirmation provides a strong level of protection for the privacy of a principal.
Note 2 to entry: Blinded affirmation may be realized with an ephemeral identifier or pseudonym.

Clause 4
Remove abbreviated terms DA and IMS.

5.1
Replace the first, second and third paragraphs including Note 1 with the following text:
An identity represents an entity in an ICT system as data to be stored or processed. The (business)
purposes of a particular domain of application served by an ICT system determine which of the
attributes pertaining to an entity are to be used in its identity. A persistently stored identity is the Deleted:
basis for identification of a principal. If a pe
...