Definition[edit | edit source]

Electronic credentials are

[d]igital documents used in authentication that bind an identity or an attribute to a subscriber's token.[1]

Overview[edit | edit source]

There are a variety of electronic credential types in use today, and new types of credentials are constantly being created. At a minimum, credentials include identifying information that permits recovery of the records of the registration associated with the credentials and a name that is associated with the subscriber. In every case, given the issuer and the identifying information in the credential, it must be possible to recover the registration records upon which the credentials are based.

Electronic credentials may be general-purpose credentials or targeted to a particular verifier. Some common types of credentials are:

Electronic credentials may be stored as data in a directory or database. These credentials may be digitally signed objects (e.g., X.509 certificates), in which case their integrity may be verified. In this case, the directory or database may be an untrusted entity, since the data it supplies is self-authenticating. Alternatively, the directory or database server may be a trusted entity that authenticates itself to the relying party or verifier. When the directory or database server is trusted, unsigned credentials may simply be stored as unsigned data.

References[edit | edit source]

  1. NIST, Electronic Authentication Guideline 5 (NIST Special Publication 800-63) (Apr. 2006) (full-text).
Community content is available under CC-BY-SA unless otherwise noted.