1、 International Telecommunication Union ITU-T X.1252TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2010) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management Baseline identity management terms and definitions Recommendation ITU-T X.1252 ITU-T X
2、-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANA
3、GEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES
4、Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Co
5、untering spam X.1230X.1249 Identity management X.1250X.1279SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.15
6、49 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1252 (04/2010) i Recommendation ITU-T X.1252 Baseline iden
7、tity management terms and definitions Summary Recommendation ITU-T X.1252 provides definitions of key terms used in identity management (IdM). The terms are drawn from many sources but all are believed to be in common use in IdM work. This Recommendation is not intended to be a huge compendium of Id
8、M-related terms. Instead, the terms defined here are limited to those considered to constitute a baseline list of the most important and commonly-used IdM-specific terms. This Recommendation includes Annex A that explains the rationale for some of these key terms. One of the main objectives of this
9、Recommendation is to promote a common understanding of these terms among the groups currently developing (or planning to develop) IdM-related standards. The definitions are constructed so that, as far as possible, they are independent of implementations or specific context and, therefore, should be
10、suitable as baseline definitions for any IdM work. It is acknowledged that, in some instances and contexts, greater detail may be required for a particular term, in which case, elaboration of the baseline definition may be considered. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1
11、252 2010-04-16 17 ii Rec. ITU-T X.1252 (04/2010) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a perm
12、anent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establi
13、shes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary stand
14、ards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Reco
15、mmendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents a
16、re used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed In
17、tellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not rec
18、eived notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/i
19、pr/. ITU 2010 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1252 (04/2010) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 Terms and d
20、efinitions . 2 Annex A Key points and rationale for IdM basic terminology. 7 A.1 Authentication and confidence . 7 A.2 Claim/assertion . 12 A.3 Enrolment and registration . 12 A.4 Identity provider and identity service provider 12 A.5 Identity pattern 13 Bibliography. 14 iv Rec. ITU-T X.1252 (04/201
21、0) Introduction Compilation of this list of IdM terms and definitions began in 2007. It has had many iterations, received contributions and comments from many people and been reviewed many times. The terms and definitions are from many sources. Some of these, but by no means all of them, are listed
22、in the Bibliography. In some cases, the original definition was suitable and included, but in many cases it was modified or combined with others resulting in a “best of breed“ for a particular term. Considerable effort has been made to ensure that the definitions convey the same meaning as those in
23、other IdM Recommendations | International Standards. This means that, in some cases, the words may not be identical but the meaning should be the same. Because a term may be used in a number of different contexts, the definitions are confined to a baseline or simple definition of the term without in
24、cluding alternatives or variations that may occur. If additional detail or clarification is needed, this can be added as required. The fundamental points from which the definitions are derived are discussed further in Annex A. Rec. ITU-T X.1252 (04/2010) 1 Recommendation ITU-T X.1252 Baseline identi
25、ty management terms and definitions 1 Scope This Recommendation contains a baseline set of definitions of terms commonly used in identity management (IdM). The definitions provide a basic definition of the term, i.e., they are intended to convey the basic meaning although exceptionally, a note is in
26、cluded when it helps to clarify the definition. The rationale for some of the key terms/definitions is included in Annex A. NOTE The use of the term “identity“ in this Recommendation relating to IdM does not indicate its absolute meaning. In particular, it does not constitute any positive validation
27、 of a person. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subj
28、ect to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document
29、within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.501 Recommendation ITU-T X.501 (2005) | ISO/IEC 9594-2:2005, Information technology Open Systems Interconnection The Directory: Models. ITU-T X.800 Recommendation ITU-T X.800 (1991, Securi
30、ty architecture for Open Systems Interconnection for CCITT applications. ITU-T X.810 Recommendation ITU-T X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems Overview. ITU-T X.811 Recommendation ITU-T X.811 (1995) | ISO/IEC 10
31、181-2:1996, Information technology Open Systems Interconnection Security frameworks for open systems Authentication framework. ITU-T Y.2701 Recommendation ITU-T Y.2701 (2007), Security requirements for NGN release 1. ITU-T Y.2702 Recommendation ITU-T Y.2702 (2008), Authentication and authorization r
32、equirements for NGN release 1. ITU-T Y.2720 Recommendation ITU-T Y.2720 (2009), NGN identity management framework. 3 Definitions This clause is intentionally left blank. 2 Rec. ITU-T X.1252 (04/2010) 4 Abbreviations and acronyms This Recommendation uses the following abbreviations: IdM Identity Mana
33、gement IdP Identity Provider IdSP Identity Service Provider NGN Next Generation Network PII Personally Identifiable information RP Relying Party 5 Conventions This clause is intentionally left blank. 6 Terms and definitions 6.1 access control: A procedure used to determine if an entity should be gra
34、nted access to resources, facilities, services, or information based on pre-established rules and specific rights or authority associated with the requesting party. 6.2 address: An identifier for a specific termination point that is used for routing. 6.3 agent: An entity that acts on behalf of anoth
35、er entity. 6.4 alliance: An agreement between two or more independent entities that defines how they relate to each other and how they jointly conduct activities. 6.5 anonymity: A situation where an entity cannot be identified within a set of entities. NOTE Anonymity prevents the tracing of entities
36、 or their behaviour such as user location, frequency of a service usage, and so on. 6.6 assertion: A statement made by an entity without accompanying evidence of its validity.16.7 assurance: See authentication assurance and identity assurance. 6.8 assurance level: A level of confidence in the bindin
37、g between an entity and the presented identity information. 6.9 attribute: Information bound to an entity that specifies a characteristic of the entity. 6.10 attribute type ITU-T X.501: A component of an attribute that indicates the class of information given by that attribute. 6.11 attribute value
38、ITU-T X.501: A particular instance of the class of information indicated by an attribute type. 6.12 (entity) authentication: A process used to achieve sufficient confidence in the binding between the entity and the presented identity. NOTE Use of the term authentication in an identity management (Id
39、M) context is taken to mean entity authentication. _ 1The terms assertion and claim are agreed to be very similar. Rec. ITU-T X.1252 (04/2010) 3 6.13 authentication assurance: The degree of confidence reached in the authentication process that the communication partner is the entity that it claims t
40、o be or is expected to be. NOTE The confidence is based on the degree of confidence in the binding between the communicating entity and the identity that is presented. 6.14 authorization ITU-T Y.2720, and ITU-T X.800: The granting of rights and, based on these rights, the granting of access. 6.15 bi
41、nding: An explicit established association, bonding, or tie. 6.16 biometric recognition b-ISO/IEC CD 2382-37: Automated recognition of individuals based on observation of behavioural and biological characteristics. 6.17 certificate ITU-T X.810: A set of security-relevant data issued by a security au
42、thority or a trusted third party, that, together with security information, is used to provide the integrity and data origin authentication services for the data. 6.18 claim b-OED: To state as being the case, without being able to give proof.16.19 claimant ITU-T Y.2720, and ITU-T X.811: An entity th
43、at is or represents a principal for the purposes of authentication. NOTE A claimant includes the functions necessary for engaging in authentication exchanges on behalf of a principal. 6.20 context: An environment with defined boundary conditions in which entities exist and interact. 6.21 credential:
44、 A set of data presented as evidence of a claimed identity and/or entitlements. 6.22 delegation: An action that assigns authority, responsibility, or a function to another entity. 6.23 digital identity: A digital representation of the information known about a specific individual, group or organizat
45、ion. 6.24 enrolment: The process of inauguration of an entity into a context. NOTE 1 Enrolment may include verification of the entitys identity and establishment of a contextual identity. NOTE 2 Also, enrolment is a pre-requisite to registration. In many cases, the latter is used to describe both pr
46、ocesses. 6.25 entity: Something that has separate and distinct existence and that can be identified in context. NOTE An entity can be a physical person, an animal, a juridical person, an organization, an active or passive thing, a device, a software application, a service, etc., or a group of these
47、entities. In the context of telecommunications, examples of entities include access points, subscribers, users, network elements, networks, software applications, services and devices, interfaces, etc. 6.26 entity authentication: A process to achieve sufficient confidence in the binding between the
48、entity and the presented identity. NOTE Use of the term authentication in an identity management (IdM) context is taken to mean entity authentication. 6.27 federation: An association of users, service providers, and identity service providers. 6.28 identification: The process of recognizing an entit
49、y by contextual characteristics. 6.29 identifier: One or more attributes used to identify an entity within a context. 4 Rec. ITU-T X.1252 (04/2010) 6.30 identity: A representation of an entity in the form of one or more attributes that allow the entity or entities to be sufficiently distinguished within context. For identity management (IdM) purposes, the term identity is understood as contextual identity (subset of attributes), i.e., the variety of attrib
