3.2 Entity, Identity, Identity Management and Other Related Terminologies
3.2.4 Identifiers, Partial Identifiers, Null Identifiers and Credentials
There are three different classes of attributes. One class can uniquely identify an entity, the second class can identify at least one entity and the third can identify no entities. These types are defined as the Identifier, Partial Identifier and Null Identifier respectively. Each type is explained below. Then, a special attribute called Credential is introduced that accompanies an identifier value during the identification and authentication process.
Identifier. An Identifier is an attribute whose value can be used to uniquely identify an entity within an application domain [71, 74]. An entity may have many attributes associated with itself, however, the most representative attribute whose value can be used to uniquely identify an entity can be defined as the Identifier of that entity. According to this definition, an Identifier is similar to the functionalities of a primary key in a relational database table.
There are many attributes in an application domain that may be used to uniquely identify an entity at a certain point in time. However, when more entities are added into the application domain, it may happen that one of the new entities has the same value for that attribute as an existing entity, thus violating the condition that its value can be used to uniquely identify an entity. To avoid unnecessary complications, each application domain considers one attribute as the identifier and ensures that its value can be used to uniquely identify an entity as long as the application domain exists. To determine the chosen identifier for a particular domain, the following function is defined.
Definition 4 The function identifier : DOMAIN → Ad returns the chosenidentifier such
that for any domaind, if i = identifier (d), then the following conditions are satisfied:
• atEntityToValued(i, e) is defined for all e ∈ Ed;
• atEntityToValued(i, e1) 6= atEntityToValued(i, e2) for all distinct e1, e2 ∈ Ed.
The above conditions correspond to the following (required) properties when an attribute has been selected as the Identifier in a domain.
• Each entity of an application domain must have a value for the identifier;
• The value for the identifier can be used to uniquely identify any entity at any point in time as long as the application domain exists. More formally, if i = identifier (d) and v ∈ atToValueSetd(i), then |atValueToEntitySetd(i, v)| = 1.
These conditions can be enforced during the registration process (an essential step of Identity Management which will be explored later). More precisely, when a new entity is registered
3.2. Entity, Identity, Identity Management and Other Related Terminologies 44
(added) in an application domain, it has to be ensured that the value of the identifier for that entity is not null and also unique with respect to the existing values of the identifier for other existing entities.
It is assumed that the username is the attribute that the exemplary system BLOG has selected as the Identifier. Therefore, identif ier(BLOG) = username.
Partial Identifier. When the value of an attribute identifies at least one entity within a specific application domain, the attribute is defined as a Partial Identifier [71]. An example of a partial identifier is Surname. Many people may share the same surname and therefore it is likely that the surname can identify more than one person. Formally, the set of partial identifiers can be defined in the following way:
Definition 5 The set of partial identifiers PId ⊆ Ad\{identifier (d )} in domain d is such
thatpi ∈ PIdif and only ifatEntityToValue(pi , e) is defined for some e ∈ Ed.
This means, for any pi ∈ PIdand v ∈ atToValueSetd(pi):
|atValueToEntitySetd(pi, v)| ≥ 1
Null Identifier. Null Identifiers are those attributes which do not have any value for all entities. The formal definition is given below:
Definition 6 The set of null identifiers NId ⊆ Ad\{identifier (d )} in domain d is such that
ni ∈ PIdif and only ifatEntityToValued(ni , e) is undefined for all e ∈ Ed.
From the above definitions, it follows that the sets of Partial and Null Identifiers are disjoint, i.e. PId∩ NId= ∅.
Returning to the example, all other attributes apart from username in BLOG will be consid- ered as partial identifiers, that is, P IBLOG = {age, postcode}. There is no null identifier in
the example.
Next, functions to relate identifier, partial identifiers and entities are defined.
Definition 7 The (injective) function idValueToEntityd : AVd → Ed maps a value of the
identifier to the respective (unique) entity in domaind. That is, for any v ∈ atToValueSetd(id
entifier (d )):
idValueToEntityd(v) = e
3.2. Entity, Identity, Identity Management and Other Related Terminologies 45
The idValueToEntity function can be used to define a function, idValueToEntitySetd : P(AVd) → P(Ed) that retrieves the set of entities for a set of values of the identifier. More
precisely, for Bd ⊆ atToValueSetd(identifier (d )),
idValueToEntitySetd(Bd) =
[
b∈Bd
idValueToEntityd(b) (3.4)
Furthermore, the following function is defined to find how each partial identifier can be mapped to a set of entities.
Definition 8 Let piToEntitySetd : PId×AVd → P(Ed) be the function that maps each
partial identifier and value to the corresponding entities. Formally, for any pi ∈ PId and
v ∈ atToValueSetd(pi ):
piToEntitySetd(pi , v ) = {e ∈ Ed| atEntityToValued(pi , e) = v }
Again returning to the example:
idValueToEntityBLOG(john) = JOHN idValueToEntityBLOG(rahim) = RAHIM
piToEntitySetBLOG((postcode, G3 )) = {J OHN, RAHIM }
Next, a function to relate the identifier to partial identifiers is introduced.
Definition 9 Let idValueToPiValueSetd: AVd → P(PId×AVd) be the function that maps
a value of the identifier to the corresponding set of partial identifiers and their values in domaind. That is, for any v ∈ atToValueSetd(identifier (d )), if idValueToEntityd(v) = e,
thenidValueToPiValueSetd(v ) is given by the set:
{(pi , v) | pi ∈ PId, atEntityToValued(pi , e) is defined and equals v}
Following the example, idValueToPiValueSetBLOG(john) = {(age, 31 ) , (postcode, G3 )}.
Figure 3.1 provides a graphical analogy of the relation between the user (entity), the identifier and the partial identifiers.
Credentials. In the real world, different physical attributes of a person are the attestation of who she is. Biometrics in the form of photograph, signature, or PIN (Personal Identification Number) are widely used credentials to be used with an ID or bank card. However, the sit- uation is somewhat different in the online world as the physical face-to-face recognition is largely absent. To testify the identity of an entity online, another attribute called a Credential
3.2. Entity, Identity, Identity Management and Other Related Terminologies 46
Figure 3.1: The relation between the user, identifier and the partial identifiers.
Figure 3.2: The (total) identity of an en- tity.
is needed. A generalised definition of Credential can be quoted from the Glossary of the Mo- dinis Project: “A credential is a piece of information attesting to the integrity of certain stated facts” [63]. In this thesis, a credential will be considered as an attribute that accompanies an identifier and can be used to attest the authority of an entity over the supplied identifier (known as the authentication process, see Section 3.3.1). Such a credential is assumed to be secret to everyone except to the valid user. The simplest and also the weakest form of such credentials is a password. Attribute certificates are a common type of credential in the PKI (Public Key Infrastructure) System. For a more secure authentication process, biomet- rics such as fingerprints, face recognition, voice recognition, retina scan or secure hardware tokens such as the OTP (One Time Password) generator could be used.
Let, creddbe the attribute that holds the credential for each entity in domain d.
Definition 10 Let checkCredentiald : (identifier (d)×AVd)×(credd×AVd) → {true, false}
be the function which given the input of an identifier and credential with their corresponding values returns true if the supplied identifier value equals the original identifier value and the credential value equals the original credential value or returns false otherwise.