tdif release 4: 01 - glossary of abbreviations and terms... · 01 - glossary of abbreviations and...
TRANSCRIPT
OFFICIAL
OFFICIAL
01 - Glossary of Abbreviations and Terms
Trusted Digital Identity Framework (TDIF) Release 4 (R4) December 2019, version 0.3
CONSULTATION DRAFT
Digital Transformation Agency — TDIF: 01 – Glossary of Abbreviations and Terms iii
OFFICIAL
OFFICIAL
Digital Transformation Agency
This work is copyright. Apart from any use as permitted under the Copyright Act 1968
and the rights explicitly granted below, all rights are reserved.
Licence
With the exception of the Commonwealth Coat of Arms and where otherwise noted,
this product is provided under a Creative Commons Attribution 4.0 International
Licence. (http://creativecommons.org/licenses/by/4.0/legalcode)
This licence lets you distribute, remix, tweak and build upon this work, even
commercially, as long as they credit the DTA for the original creation. Except where
otherwise noted, any reference to, reuse or distribution of part or all of this work must
include the following attribution:
Trusted Digital Identity Framework (TDIF)™: 01 – Glossary of Abbreviations and
Terms © Commonwealth of Australia (Digital Transformation Agency) 2019
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It’s an Honour website (http://www.itsanhonour.gov.au)
Contact us
The Digital Transformation Agency is committed to providing web accessible content
wherever possible. This document has undergone an accessibility check however, if
you are having difficulties with accessing the document, or have questions or
comments regarding the document please email the Director, Digital Identity Policy at
Digital Transformation Agency — TDIF: 01 – Glossary of Abbreviations and Terms iv
OFFICIAL
OFFICIAL
Document management
The Trust Framework Accreditation Authority (TFAA) has reviewed and endorsed this
document for release.
Change log
Version Date Author Description of the changes
0.1 July 2019 SJP Initial version (removed from the previously titled TDIF Overview and Glossary)
0.2 Sep 2019 SJP Updated to incorporate feedback provided by key stakeholders during the first round of collaboration on TDIF Release 4
0.3 Dec 2019 SJP Updated to incorporate feedback provided by key stakeholders during the second round of collaboration on TDIF Release 4
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 1
OFFICIAL
OFFICIAL
1 Glossary of abbreviations 1
Term Meaning
3DES Triple Data Encryption Standard
AACA Australian Signals Directorate Approved Cryptographic Algorithm
AACP Australian Signals Directorate Approved Cryptographic Protocol
ABN Australian Business Number
ABR Australian Business Register
ACDC Australian Commercial Disputes Centre
ACSC Australian Cyber Security Centre
ACE Australian Signals Directorate Cryptographic Evaluation
ACR Authentication Context Class Reference
AES Advanced Encryption Standard
AFP Australian Federal Police
AGIMO Australian Government Information Management Office
AGIS Australian Government Investigations Standards
AGSVA Australian Government Security Vetting Agency
AIC Australian Institute of Criminology
ALGA Australian Local Government Association
APC Approved Privacy Code
API Application Programming Interface
APP Australian Privacy Principles
ASD Australian Signals Directorate
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 2
OFFICIAL
OFFICIAL
Term Meaning
ASIC Australian Securities and Investments Commission
ASIO Australian Security Intelligence Organisation
AS NZS Australia and New Zealand Standards
B2B Business to Business
B2I Business to Individual
B2G Business to Government
CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart
CDPP Commonwealth Director of Public Prosecutions
CFC Community Footprint Check
CFCF Commonwealth Fraud Control Framework
CISO Chief Information Security Officer
CKMP Cryptographic Key Management Plan
CL Authentication Credential Level
COAG Council of Australian Governments
CoI Commencement of Identity
CSP Credential Service Provider
DH Diffie-Hellman
DHS Department of Human Services
DLM Dissemination Limiting Marker
DoH Department of Health
DFAT Department of Foreign Affairs and Trade
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 3
OFFICIAL
OFFICIAL
Term Meaning
DRBCP Disaster Recovery and Business Continuity Plan
DSA Digital Signature Algorithm
DTA Digital Transformation Agency
DVS Document Verification Service
EAL Evaluated Assurance Level
ECDH Elliptic Curve Diffie-Hellman
ECDSA Elliptic Curve Digital Signature Algorithm
EDI Electronic Data Interchange
EoI Evidence of Identity
EPL Evaluated Products List
EU GDPR European Union General Data Protection Regulations
FoD Fact of Death File
FVS Facial Verification Service
G2G Government to Government
HSM Hardware Security Module
ICT Information and Communication Technologies
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
I2I Individual to Individual
I2G Individual to Government
IdP Identity Service Provider
IP Identity Proofing Level
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 4
OFFICIAL
OFFICIAL
Term Meaning
IRAP Information Security Registered Assessors Program
IRP Incident Response Plan
ISD Information Security Documents
ISM Australian Government Information Security Manual
ISO / IEC International Organisation for standardization / International Electro-technical Commission
ISP Information Security Policy
IT Information Technology
ITSA Information Technology Security Adviser
ITSM Information Technology Security Manager
ITSO Information Technology Security Officer
ITU-T International Telecommunication Union – Telecommunication Standardization Sector
LOA Level of Assurance
MitM Man in the Middle (attack)
MOA Memorandum of Agreement
MOU Memorandum of Understanding
NDES National Digital Economy Strategy
NeAF National eAuthentication Framework
NDLFRS National Driver Licence Facial Recognition Solution
NIAP National Information Assurance Partnership
NIPG National Identity Proofing Guidelines
NIST National Institute of Standards and Technology
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 5
OFFICIAL
OFFICIAL
Term Meaning
NIST SP NIST Special Publication
NPE Non-Person Entity
NTIF National Trusted Identities Framework
OA Oversight Authority
OAIC Office of the Australian Information Commissioner
OASIS Organisation for the Advancement of Structured Information Standards
OECD Organisation for Economic Co-operation and Development
OID Object Identifier
OIDC OpenID Connect 1.0
OIX Open Identity Exchange
ORs Operating Rules
OTP One-Time Password
PAD Personal Authentication Device
PESP Physical and Environmental Security Plan
PIA Privacy Impact Assessment
PII Personal Identifiable Information
PIN Personal Identification Number
PKI Public Key Infrastructure
PM&C Prime Minister and Cabinet
PORO Proof of Record Ownership
PP Protection Profile
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 6
OFFICIAL
OFFICIAL
Term Meaning
PSP Personnel Security Plan
PSPF Australian Government Protective Security Policy Framework
PSRR Protective Security Risk Review
RBDM Registries of Births, Deaths and Marriages
RCA Root Certification Authority
RFC Request for Comment
RP Relying Party
RSA Rivest-Shamir-Adleman
RTA Road Traffic and Transport Authorities
RTM Requirements Traceability Matrix
SA Services Australia
SAML Security Assertion Mark-up Language
SHA Secure Hashing Algorithm
SMS Short Message Service
SoA Statement of Applicability
SOP Standard Operating Procedure
SOW Statement of Work
SRMP Security Risk Management Plan
SSP System Security Plan
TDIF Trusted Digital Identity Framework
TFAA Trust Framework Accreditation Authority
TPISAF Third Party Identity Services Assurance Framework
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 7
OFFICIAL
OFFICIAL
Term Meaning
Top 4 Top 4 Strategies to Mitigate Cyber Security Incidents
UitC Use in the Community
UNCITRAL United Nations Commission on International Trade Law
UX User Experience
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 8
OFFICIAL
OFFICIAL
2 Glossary of terms 2
A wide variety of terms are used in the realm of identity management. While the 3
definition of many of these terms are sourced from existing government policies and 4
international standards, the definition of some terms has been modified to meet the 5
needs of the Trusted Digital Identity Framework. Where this occurs, the source is 6
listed as ‘TDIF’. 7
Accreditation. The procedure by which an authoritative body gives independent 8
attestation conveying formal demonstration of a Service Provider’s competence to 9
provide services of the kind specified in an assurance framework. Source: 10
Gatekeeper PKI Framework. 11
Accredited Participants. Organisations and government agencies that have 12
achieved TDIF accreditation. Source: TDIF. 13
Active attack. An attack on the authentication protocol where the attacker transmits 14
data to a User, Identity Service Provider, Credential Service Provider, Attribute 15
Provider, Identity Exchange or Relying Party. Examples of active attacks include man-16
in-the-middle (MitM), impersonation, and session hijacking. Source: NIST SP 800-63-17
3. 18
Alternative binding. An attestation by a referee who has either a provable 19
relationship with an individual claiming an identity (e.g. trusted referee) or has a 20
professional status such that they can reliably attest to the identity of the individual. 21
Source: TDIF. 22
Applicants. Organisations and government agencies that undergo the Trust 23
Framework Accreditation Process in the role of an Attribute Service Provider, 24
Credential Service Provider, Identity Service Provider, Identity Exchange or a 25
combination of these. Source: TDIF. 26
Assertion. A statement from a verifier to a Relying Party that contains information 27
about a subscriber. Assertions may also contain verified attributes. Source: NIST SP 28
800-63-3 29
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 9
OFFICIAL
OFFICIAL
Assessing Officer. A person who assesses applications and makes a decision about 30
whether a person meets the specified identity proofing requirements. The assessing 31
officer must be an employee of the organisation or contracted to assess applications 32
and who has demonstrated the necessary competency and aptitude to complete 33
identity verification assessments. Source: TDIF. 34
Assessor. Consultants or independent evaluators of products, processes and 35
systems who have the required skills, experience and qualifications to determine 36
whether an Applicant has met specific requirements of the TDIF. Source: TDIF. 37
Assisted digital. An interaction between a person and an Identity Service Provider 38
party aimed at successfully completing a transaction. This can include support 39
provided to a person during an in-person identity proofing process or registration 40
interview. Source: TDIF. 41
Attribute. An item of information or data associated with a subject. Examples of 42
attributes include information such as name, address, date of birth, e-mail address, 43
mobile number, etc. Source: UNCITRAL. 44
Attribute matching. A method used by a relying party to match a set of attributes to 45
existing records. Source: TDIF. 46
Attribute Service Provider. A class of accreditation supported under the TDIF. They 47
generate and manage authorisation, qualification and entitlement attributes relating to 48
people to relying parties to support their decision-making processes. Where an 49
Identity Service Provider verifies the identity of a person (e.g. I am Joe Bloggs), an 50
Attribute Provider verifies specific attributes relating to entitlements, qualifications or 51
characteristics of that person (e.g. this Joe Bloggs is authorised to act on behalf of 52
business xyz in a particular capacity).Source: TDIF. 53
Attribute Verification Service. See Authoritative Source. 54
Assessment. An independent review and examination of validity, accuracy and 55
reliability of information contained on a system to assess the adequacy of system 56
controls and ensure compliance with established policies and procedures. In the 57
context of conducting system accreditations, an audit (also known as a compliance 58
assessment) is an examination and verification of an entity’s systems and 59
procedures, measured against predetermined standards. Source: TDIF. 60
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 10
OFFICIAL
OFFICIAL
Australian Government Cyber Security Centre. Lead the Australian Government’s 61
efforts to improve cyber security. The role of the ACSC is to help make Australia the 62
safest place to connect online. Source: ACSC. 63
Australian Government Department of Health. Government agency responsible to 64
deliver policies, programs and advise to the Australian Government on health, aged 65
care and sport. The agency works with a wide range of stakeholders to ensure better 66
health for all Australians. Source: DoH. 67
Australian Government Department of Home Affairs. Government agency 68
responsible for Australia's federal law enforcement, national and transport security, 69
criminal justice, emergency management, multicultural affairs and immigration and 70
border-related functions and agencies. Source: Department of Home Affairs. 71
Australian Government Department of Human Services. Government agency 72
responsible for the development of service delivery policy and provides access to 73
social, health and other payments and services. Source: DHS. 74
Australian Government Department of Foreign Affairs and Trade. Government 75
agency that works to make Australia stronger, safer and more prosperous, to provide 76
timely and responsive consular and passport services, and to ensure a secure 77
Australian Government presence overseas. The Department provides foreign, trade 78
and development policy advise to government and works with other government 79
agencies to ensure that Australia’s pursuit of its global, regional and bilateral interests 80
is coordinated effectively. Source: DFAT. 81
Australian Government Digital Transformation Agency. Government agency 82
which helps government to improve digital services to make them simple, clear and 83
fast. Source: DTA. 84
Australian Government Information Security Manual. A manual to assist 85
Australian government agencies in applying a risk-based approach to protecting their 86
information and systems. The ISM includes a set of information security controls that, 87
when implemented, will help agencies meet their compliance requirements for 88
mitigating security risks to their information and systems. Source: ASD. 89
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 11
OFFICIAL
OFFICIAL
Australian Government Protective Security Policy Framework. Defines a series 90
of core policies and mandatory requirements with which applicable Commonwealth 91
agencies and bodies must demonstrate their compliance. These requirements cover 92
protective security governance, personnel security, information security and physical 93
security. Source: AGD. 94
Australian Institute of Criminology. Australia's national research and knowledge 95
centre on crime and justice, compiling trend data and dissemination research and 96
policy advice. Source: AIC. 97
Australian Privacy Principles. Are the cornerstone of the privacy protection 98
framework in the Privacy Act 1988. There are 13 Australian Privacy Principles and 99
they govern standards, rights and obligations around: 100
• The collection, use and disclosure of personal information. 101
• An organisation or agency’s governance and accountability. 102
• Integrity and correction of personal information. 103
• The rights of individuals to access their personal information. 104
Source: OAIC. 105
Authentication. A function for establishing the validity and assurance of a claimed 106
identity of a user, device or another entity in an information or communications 107
system. Source: OECD. 108
Authentication credential. See Credential. 109
Authentication Credential Level. The level of assurance or confidence in the 110
authentication process, ranked from lowest to highest based on the consequence of 111
incorrectly determining that a person is who they claim they are. Source: TDIF. 112
Authentication factor. A piece of information and process used to authenticate or 113
verify the identity of an entity. Source: ISO/IEC 19790. 114
Authoritative source. Repositories recognised by the TFAA that confirm the veracity 115
of asserted attributes and associated information. Authoritative sources can refer to 116
either the repositories themselves, or the methods used to access them (e.g. the DVS 117
or FVS). Source: TDIF. 118
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 12
OFFICIAL
OFFICIAL
Behavioural information or information about an individual’s behaviour. 119
Includes data on the services an individual has accessed or tried to access and when, 120
the Identity Service Provider(s) used by the individual, the method of access and 121
when their identity was verified. 122
Binding. In an identity proofing context, it is an association between a known person 123
and a person claiming their identity (e.g. Joe Bloggs exists, I am the same Joe 124
Bloggs). In an authentication context, it is an association between a subscriber’s 125
identity and a credential. Source: TDIF. 126
Biometric information (biometrics). Information about any measurable biological or 127
behavioural characteristics of a natural person that can be used to identify them or 128
verify their identity, such as face, fingerprints and voice. (Under the Privacy Act 1988 129
biometric information is considered as sensitive information, which provides additional 130
obligations on organisations.). Source: NIPG. 131
Biometric verification. Any means by which an individual can be uniquely identified 132
by evaluating their biometrics or behavioural characteristics. Source: TDIF. 133
Black box system testing. A security testing and examination technique performed 134
by a protective security specialist. Black box techniques are performed against an 135
application without source code knowledge. Black box techniques are used to assess 136
the security of individual compiled components, interactions between components, 137
applications, users, other systems and the external environment. Black box 138
techniques are also used to determine how effective an application or system can 139
handle threats. Source: NIST SP 800-115. 140
Claimant. A person whose identity is to be verified using one or more authentication 141
protocols. Source: TDIF. 142
Commencement of Identity. The first registration of an individual by a government 143
agency in Australia and includes RBDM birth registrations and issuance of Home 144
Affairs immigration documents and records1
. Source: NIPG. 145
1 In the context of the TDIF an Australian Passport is also considered a CoI document.
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 13
OFFICIAL
OFFICIAL
Commonwealth Fraud Control Framework. The Commonwealth Fraud Control 146
Framework outlines the Australian Government’s requirements for fraud control. This 147
includes a requirement that government entities have a comprehensive fraud control 148
program that covers prevention, detection, investigation and reporting strategies. 149
Source: Commonwealth Attorney-General’s Department. 150
Community Footprint Check. Confirm the operation of the identity in the community 151
over time to provide additional confidence that an identity is legitimate in that it is 152
being used in the community (including online where appropriate). Source: NIPG. 153
Consent. Means express consent or implied consent. The four key elements of 154
consent are: 155
• The individual is adequately informed before giving consent. 156
• The individual gives consent voluntarily. 157
• The consent is current and specific. 158
• The individual has the capacity to understand and communicate their consent. 159
Source: OAIC. 160
Control. Any process, policy, device, practice or other actions within the internal 161
environment of an organisation which modifies the likelihood or consequences of a 162
risk. Source: ISO 31000. 163
Council of Australian Governments. The peak intergovernmental forum in 164
Australia. The members of COAG are the Prime Minister, state and territory First 165
Ministers and the President of the Australian Local Government Association. Source: 166
COAG. 167
Credential. The technology used to authenticate a user’s identity. The user 168
possesses the credential and controls its use through one or other authentication 169
protocols. A credential may incorporate a password, cryptographic key or other form 170
of secret. Source: NIPG. 171
Credential management. The ‘lifecycle’ approach associated with a credential 172
including creation, initialisation, personalisation, issue, maintenance, recovery, 173
cancellation, verification and event logging. Source: TDIF. 174
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 14
OFFICIAL
OFFICIAL
Credential Service Provider. A class of accreditation supported under the TDIF. A 175
CSP generates and manages authentication credentials which are provided to 176
people. This function may be internalised within an IdP. Source: TDIF. 177
Cryptographically secure verification. Verifying the integrity of the information on a 178
credential using an approved cryptographic process such as the RFID chip in an e-179
passport or the signature on a pdf. Source: TDIF. 180
Cyber security incident. An occurrence or activity of a system, service or network 181
state indicating a possible breach of protective security policy or failure of safeguards, 182
or a previously unknown situation that may be security relevant. Examples include: 183
• Receiving suspicious or seemingly targeted emails with attachments or links. 184
• Any compromise or corruption of information. 185
• Unauthorised access or intrusion into an identity service. 186
• Data spill. 187
• Intentional or accidental introduction of viruses to a network. 188
• Denial of service attacks. 189
• Suspicious or unauthorised network activity. 190
Source: ISM. 191
Deduplication. The process of determining whether two or more digital identity 192
records relate to the same person or a different person, whether within a single IDP 193
(IDP deduplication), or across multiple IDPs, at the Exchange (ecosystem 194
deduplication). Source: TDIF. 195
Digital identity. An electronic representation of an entity (individual or other entity 196
such as a business) and how people and other entities are recognised online. An 197
individual’s digital identity for instance is an amalgamation of personal attributes and 198
information available online that can be bound to that individual. Source: TDIF. 199
Document Verification Service. A national online system that checks whether the 200
biographic information on an identity document matches the original record. The 201
result will simply be ‘yes’ or ‘no’. The DVS does not check facial images. The DVS 202
makes it harder for people to use fake identity documents. The DVS has been 203
operational since 2009. Both the public and private sector use the DVS. Source: ID 204
Match (Department of Home Affairs). 205
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 15
OFFICIAL
OFFICIAL
Double blind. Refers to the aspects of the TDIF that require the Identity Exchange to 206
mediate interactions between Participants on the system. Double-blind applies 207
between: 208
• The Relying Party and the Identity Service Provider. 209
• The Identity Service Provider and the Attribute Provider. 210
• The Relying Party and the Attribute Provider, unless otherwise approved by the 211
Oversight Authority. 212
Double blind does not apply between the Credential Service Provider and the Identity 213
Service Provider. Source: TDIF. 214
End user. A person that interacts with a TDIF participant’s service. Source: TDIF. 215
Entity. Something that has separate and distinct existence and that can be identified 216
in a context. Note: an entity can be a physical person, an organization, an active or 217
passive thing, a device, a software application, a service, etc. Source: ITU-T Rec 218
X.1252. 219
Essential Eight. No single mitigation strategy is guaranteed to prevent cyber security 220
incidents. Government agencies and organisations are recommended to implement 221
essential eight mitigation strategies as a baseline. This baseline, known as the 222
Essential Eight, makes it much harder for adversaries to compromise systems. 223
Furthermore, implementing the Essential Eight pro-actively can be more cost-effective 224
in terms of time, money and effort than having to respond to a large-scape cyber 225
security incident. Source: ACSC. 226
Evidence of Identity. Information that a person may present to support assertions or 227
claims to a particular identity. The types of evidence that, when combined, provide 228
confidence that a person is who they say they are and that the identity is valid and not 229
known to be fraudulent. This evidence may be provided in the form of identity 230
documents or other card-based credentials that contain key attributes (such as name, 231
date of birth, unique identifier) or provide information on a person’s ‘pattern of life’ or 232
‘community footprint'. Source: NIPG. 233
Express consent. is given explicitly, either orally or in writing. This could include a 234
handwritten signature, or oral statement, or use of an electronic medium or voice 235
signature to signify agreement. Source: OAIC. 236
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 16
OFFICIAL
OFFICIAL
Face Verification Service. A national online system that compares a photo against 237
the image used on identity documents. The FVS can: 238
• Make access to government services more convenient for customers by 239
avoiding the need to attend a shopfront. 240
• Help victims of identity crime reclaim their identity faster. 241
• Help prevent identity theft by detecting fake or stolen documents. 242
Source: ID Match (Australian Government Department of Home Affairs). 243
Fact of Death File. Is a compilation of death records from each of the data 244
custodians. These files contain full name, date of birth and residential address details 245
of all the people who have died in Australia. Data files are available on the Australian 246
Coordinating Registry dating back to 1992. Source: Queensland Government. 247
Family name. A person’s last name or surname. The ordering of family name and 248
given names varies among cultures. Some cultures do not recognise a ‘family’ name; 249
In Australia the last name is usually adopted as the family name. Source: Department 250
of Home Affairs. 251
Fraud. Dishonestly obtaining a benefit, or causing a loss, by deception or other 252
means. Source: Commonwealth Fraud Control Policy. 253
In the context of TDIF accreditation, fraud against an Applicant or accredited Provider 254
may include (but is not limited to): 255
• Theft 256
• Accounting fraud (e.g. false invoices, misappropriation) 257
• Unlawful use of, or unlawful obtaining of equipment, material or services. 258
• Causing a loss or avoiding and/or creating a liability. 259
• Providing false or misleading information or failing to provide information when 260
there is an obligation to do so. 261
• Misuse of assets, equipment or facilities. 262
• Making or using, false, forged or falsified documents. 263
• Wrongfully using information or intellectual property. 264
Gatekeeper Public Key Infrastructure Framework. The Australian Government's 265
policy and accreditation framework for the use of PKI by Australian Government 266
agencies. Source: Gatekeeper PKI Framework. 267
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 17
OFFICIAL
OFFICIAL
Given name. Given names include combinations of first name/s, forename, Christian 268
name/s, middle name/s and second name/s. Source: Department of Home Affairs. 269
Identity. A set of the attributes about a person that uniquely describes the person 270
within a given context. Source: UNCITRAL. 271
Identity attribute. A piece of information relating to identity. (e.g. full name or date of 272
birth or biometric information). Source: TDIF. 273
Identity crime. Activities or offences in which a perpetrator uses a fabricated, 274
manipulated, stolen or otherwise fraudulently assumed identity to facilitate the 275
commission of crime. Source: NIPG. 276
Identity document. Any document or other thing that contains or incorporates 277
identification information and that is capable of being used as evidence of identity. 278
Source: NIPG. 279
Identity document issuer. An Australian government entity or approved entity that 280
issues identity documents, such as Passports, Driver’s Licences or Proof of Age 281
cards. Source: TDIF. 282
Identity Exchange. A class of accreditation supported under the TDIF. An Identity 283
Exchange conveys, manages and coordinates the flow of identity attributes and 284
assertions between members of the identity federation. Once an Identity Exchange 285
has been granted accreditation it becomes a trusted core element of the identity 286
federation. Source: TDIF. 287
Identity federation. A group of Participants that work together to ensure identity-288
related information can be relied on by Relying Parties to make risk-based decisions. 289
Synonyms: Multi-party identity system, federated identity management system, 290
identity ecosystem. Source: TDIF. 291
Identity fraud. The gaining of money, goods, services or other benefits or the 292
avoidance of obligations through the use of a fabricated, manipulated, stolen or 293
otherwise fraudulently assumed identity. Source: NIPG. 294
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 18
OFFICIAL
OFFICIAL
Identity matching. The process completed by a relying party that determines 295
whether a single digital identity relates to an existing record or is a new person. 296
Source: TDIF. 297
Identity Proofing. Identity proofing refers to the process of collecting, verifying, and 298
validating sufficient identity attributes about a specific person to define and confirm 299
their identity. Source: TDIF. 300
Identity Proofing Level. An IP level describes the level of assurance or confidence in 301
the identity proofing process ranked from lowest to highest based on the 302
consequence of incorrectly identifying a person. Source: TDIF. 303
Identity resolution. The process of determining whether multiple records relate to 304
the same person or a different person, including digital identity records at one or more 305
identity providers and/or the Exchange, and/or agency records at a relying party. 306
Source: TDIF. 307
Identity Service Provider. A class of accreditation supported under the TDIF. An IdP 308
creates, maintains and manages trusted identity information of people and offers 309
identity-based services. In the context of the TDIF, an Identity Service Provider 310
carries out identity proofing. Source: TDIF. 311
Identity theft. The fraudulent use of a person’s identity (or a significant part thereof) 312
without consent, whether the person is living or deceased. Source: NIPG. 313
Implied consent. Implied consent arises when consent may reasonably be inferred in 314
the circumstances from the conduct of the individual and the APP entity. Source: 315
OAIC. 316
In-person interaction. Communication between two or more natural persons which 317
occurs in the physical world. Source: TDIF. 318
Individual. A natural person (i.e. human). Source: Acts Interpretation Act 1901. 319
Information Security Manual. See Australian Government Information Security 320
Manual. Information Security Registered Assessors Program. An Australian 321
Signals Directorate initiative to provide high quality information and communications 322
technology security assessment services to government. Source: ASD. 323
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 19
OFFICIAL
OFFICIAL
Internal system user. An employee, secondee or third party authorised by the 324
Participant’s organisation or agency to access and perform functions on the identity 325
service. E.g. a system administrator. Source: TDIF. 326
IRAP assessment. A review by an IRAP Assessor of the implementation, 327
appropriateness and effectiveness of the information security controls within a 328
computing environment. Source: ASD. 329
IRAP Assessor is an ASD certified information security professional endorsed to 330
provide information security services to Australian governments who can provide an 331
independent assessment of information security, suggest mitigations and highlight 332
residual risks. Source: ASD. 333
Key. A string of characters used with a cryptographic algorithm to encrypt and 334
decrypt. Source: Gatekeeper PKI Framework. 335
Knowledge Based Authentication. See Shared Secrets. 336
Linking document. A document which demonstrates the continuity of the claimed 337
identity where identity attributes, such as name or date of birth, have changed. 338
Source: TDIF. 339
Liveness detection. The measurement and analysis of anatomical characteristics or 340
involuntary or voluntary reactions, in order to determine if a biometric sample is being 341
captured from a living subject present at the point of capture. Liveness detection 342
methods are a subset of presentation attack detection methods. Source: ISO/IEC 343
30107-1:2016. 344
MAY. Means truly optional. This requirement has no impact on an Applicant’s ability 345
to achieve or maintain TDIF accreditation if it is implemented or ignored. Source: 346
TDIF. 347
Memorandum of Understanding. An agreement between two or more parties which 348
expresses the terms and intended common action of the parties. Source: TDIF. 349
Memorised secret. Commonly referred to as a password or, if numeric, a PIN, is a 350
secret value chosen and memorised by the user. Source: TDIF. 351
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 20
OFFICIAL
OFFICIAL
Multi-factor authentication. An authentication protocol that relies on more than one 352
authentication factor for successful authentication. Source: NeAF. 353
Multi-factor cryptographic (device). A hardware device that performs cryptographic 354
operations using one or more protected cryptographic keys and requires activation 355
through a second authentication factor (either something a person knows or 356
something a person is). Source: TDIF. 357
Multi-factor cryptographic (software). A cryptographic key stored on disk or some 358
other "soft" media that requires activation through a second authentication factor 359
(either something a person knows or something a person is). Source: TDIF. 360
Multi-factor cryptographic (trusted device). A Multi-factor Cryptographic device 361
that has been evaluated by ASD and is on the ASD Evaluated Products List. Source: 362
TDIF. 363
Multi-factor One-Time Password. A trusted device that generates OTPs as part of 364
an authentication activity. This includes hardware devices and software-based OTP 365
generators installed on devices such as mobile phones. The OTP is displayed on the 366
device and input or transmitted by a person, proving possession and control of the 367
device. Source: TDIF. 368
MUST. Means an absolute requirement of the TDIF. Failure to meet this requirement 369
will impact the Applicant’s ability to achieve and maintain TDIF accreditation. Source: 370
TDIF. 371
MUST NOT. Means an absolute prohibition of the TDIF. Failure to prevent this 372
prohibition from occurring will impact the Applicant’s ability to achieve and maintain 373
TDIF accreditation. Source: TDIF. 374
National e-Authentication Framework. A risk-based approach applied to identify 375
and authenticate people to a desired level of assurance for online interactions. 376
Source: NeAF. 377
National Identity Proofing Guidelines. The Council of Australian Government's 378
national guidelines for identity proofing. The TDIF Identity Proofing Requirements are 379
broadly based on the NIPG. Source: Department of Home Affairs. 380
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 21
OFFICIAL
OFFICIAL
Non-Person Entity. An entity with a digital identity that acts in the digital environment 381
but is not a human actor. This can include organisations, hardware devices, software 382
applications, and information artefacts. Also see individual. Source: NIST. 383
One-Time Password. A password that is changed each time it is required. Source: 384
NeAF. 385
Operating Rules. Sets out the legal framework for the operation of the identity 386
federation, including key rights, obligations and liabilities of participants. Source: 387
TDIF. 388
Out-of-band device. A physical device that uses an alternative channel for 389
transmitting information – e.g. an SMS to send a PIN or one-time password. Source: 390
TDIF. 391
Oversight Authority. The entity responsible for the administration and oversight of 392
the identity federation in accordance with the Operating Rules and TDIF, including 393
making decisions about which Applicants should be accredited, which Accredited 394
Providers’ accreditation should be continued, and which Relying Parties are approved 395
to join. Source: TDIF. 396
Participant. The Oversight Authority and each Identity Exchange, Attribute Service 397
Provider, Credential Service Provider, Identity Service Provider and Relying Party that 398
operate in the identity federation. Source: TDIF. 399
Person. Expression used to denote generally (such as ‘person’, ‘party’, ‘someone’, 400
‘anyone’, ‘no-one’, ‘one’, ‘another’ and ‘whoever’), include a body politic or corporate 401
as well as an individual. Source: Acts Interpretation Act 1901. 402
Personal information. information or an opinion about an identified individual, or an 403 individual who is reasonably identifiable: 404
a) Whether the information or opinion is true or not; and 405
b) whether the information or opinion is recorded in a material form or not. 406
Source: Privacy Act 1988. 407
Personnel. Any member of a Participant’s staff or contracted service provider’s staff 408
used to service the Participant’s contracts, or other people who provide services to 409
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 22
OFFICIAL
OFFICIAL
the agency or access Participant information or assets as part of sharing initiatives. 410
Source: PSPF (adapted by DTA). 411
Photo ID. Photographic Identification (Photo ID). An identity document with attributes 412
and includes a facial image of the identity document holder that are verifiable with an 413
Authoritative Source. Source: TDIF. 414
Presentation attack. Presentation to a data capture subsystem with the goal of 415
interfering with the operation of the data system. A Presentation attack can be 416
implemented through a number of methods, e.g. artefact, mutilations, replay, etc. 417
Source: ISO/IEC 30107-1:2016. 418
Privacy Champion. Is a senior official within the agency who has the functions of: 419
a. promoting a culture of privacy within the agency that values and protects 420
personal information; 421
b. providing leadership within the agency on broader strategic privacy 422
issues; 423
c. reviewing and/or approving the agency’s privacy management plan, and 424
documented reviews of the agency’s progress against the privacy 425
management plan; and 426
d. providing regular reports to the agency’s executive, including about any 427
privacy issues arising from the agency’s handling of personal 428
information. Source Privacy (Australian Government Agencies – 429
Governance) APP Code 2017. 430
Privacy Impact Assessment. A systematic assessment of an identity service that 431
identifies the impact that the identity service might have on the privacy of people, and 432
sets out recommendations for managing, minimising or eliminating that impact. 433
Source: OAIC. 434
Proof of Record Ownership. A method of performing identity matching at a Relying 435
Party, which handles scenarios where there is an uncertain potential match, by 436
requesting the user to answer questions which demonstrate record ownership. 437
Source: DHS. 438
Protective security documentation. The minimum set of documents that an 439
Applicant develops as part of meeting the protective security obligations of TDIF 440
accreditation. Source: TDIF. 441
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 23
OFFICIAL
OFFICIAL
Public Key Infrastructure. The combination of hardware, software, people, policies 442
and procedures needed to create, manage, store and distribute keys and certificates 443
based on public key cryptography. Source: Gatekeeper PKI Framework. 444
Registries of Births, Deaths and Marriages. Register a birth, apply for a certificate, 445
change your name or search your family history. The registration of births, deaths and 446
marriages, changes of name, changes of sex, adoptions and provision of certificates 447
is the responsibility of the state and territory governments in Australia. Source: 448
Australian Government 449
Relying Party. An organisation or government agency that relies on verified identity 450
information, attributes or assertions provided by identity service providers and 451
attribute providers through an identity exchange to enable the provision of a digital 452
service. Source: TDIF. 453
Repudiation. A denial by a person that an act attributed to them was performed by 454
them. Examples of such an act include an Assertion, a declaration and a transaction. 455
Source: NeAF. 456
Requirements Traceability Matrix. Captures the output from requirements tracing, a 457
process of documenting the links between the requirements and the Test Cases 458
developed to verify and validate those requirements (see Vendor. A person or 459
company offering something for sale. Source: dictionary. 460
Verification and Validation). Source: AS NZS ISO/IEC IEEE 29119.1-2015 461
Risk. The effect of uncertainty on objectives. An effect is a deviation from the 462
expected – positive and/or negative. Risk is often expressed in terms of a 463
combination of the consequences of an event (including changes in circumstances or 464
knowledge) and the associated likelihood of occurrence. Source: ISO 31000:2018. 465
Risk appetite. The amount and type of risk an entity is willing to accept or retain in 466
order to achieve its objectives. It is a statement or series of statements that describes 467
the organisation’s attitude toward risk taking. Source: ISO 31000:2018. 468
Risk assessment. The process of risk identification, risk analysis and risk evaluation. 469
Source: ISO 31000:2018. 470
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 24
OFFICIAL
OFFICIAL
Risk-based testing. Testing in which the management, control, priority is based upon 471
the Risk Rating assigned to the requirement. Source: AS NZS ISO/IEC IEEE 472
29119.1-2015 473
Risk management. The coordinated activities and actions taken to ensure that an 474
organisation is conscious of the risks it faces, makes coordinated and informed 475
decisions in managing those risks and identifies potential opportunities. Source: 476
ISO 31000:2018. 477
Risk management framework. A set of components that provide the foundations 478
and organisational arrangements for designing, implementing, monitoring, reviewing 479
and continually improving risk management throughout the organisation. Source: 480
ISO 31000:2018. 481
Risk profile. A description of any set of risks. The set of risks can contain those that 482
relate to the whole organisation, part of the organisation or as otherwise defined. 483
Source: ISO 31000:2018. 484
Risk tolerance. The levels of risk taking that are acceptable in order to achieve a 485
specific objective or manage a category of risk. Source: ISO 31000:2018. 486
Road Traffic and Transport Authorities. State and territory governments have 487
responsibility for roads and road transport within their jurisdiction. Their websites may 488
include information about traffic and road conditions, road construction, road rules, 489
and road safety, as well as vehicle registration and licensing. Source: Australian 490
Government. 491
Sensitive information. Information or an opinion about an individual’s: 492
• Racial or ethnic origin; or 493
• Political opinions; or 494
• Membership of a political association; or 495
• Religious beliefs or affiliations; or 496
• Philosophical beliefs; or 497
• Membership of a professional or trade association; or 498
• Membership of a trade union; or 499
• Sexual orientation or practices; or 500
• Criminal record; or 501
• That is also personal information; or 502
• Health information about an individual; or 503
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 25
OFFICIAL
OFFICIAL
• Genetic information about an individual that is not otherwise health information; or 504
• Biometric information that is to be used for the purpose of automated biometric 505 verification or biometric identification; or 506
• Biometric templates. 507
Source: Privacy Act 1988. 508
Serious and complex fraud. Fraud which due to its size or nature, is considered too 509
complex for most entities to investigate. Source: Commonwealth Fraud Control 510
Policy. 511
Service operations testing. The testing process that covers the testing required to 512
validate that the testable aspects of operating an In-Service (Production) system 513
demonstrate conformance to the Service Operation Requirements. Source: TDIF. 514
Session. Once authentication has taken place a session may be established to allow 515
a person to continue accessing the service across multiple subsequent interactions 516
without requiring repeated authentication. Source: TDIF. 517
Shared risk. A risk with no single owner, where more than one entity is exposed to or 518
can significantly influence the risk. The responsibility for managing a shared risk is 519
shared by all relevant identity federation participants and will benefit from a 520
coordinated response where one identity federation participant takes a lead role. 521
Source: TDIF. 522
Shared Secret. A secret used in authentication that is known to the subscriber and 523
the verifier. Source: TDIF. 524
Sighting. The examination of a document by a trained operator to confirm the 525
authenticity of the identity document. Source: TDIF. 526
Single-factor authentication. An authentication protocol that relies on only one 527
authentication factor for successful authentication. Source: TDIF. 528
Single-factor cryptographic (software). A cryptographic key stored in some form of 529
‘soft’ media. Authentication is accomplished by proving possession and control of the 530
key. Source: TDIF. 531
Single-factor One-Time Password (device). A device that generates OTPs, 532
including hardware devices (e.g. a dongle), SMS or software-based OTP generators 533
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 26
OFFICIAL
OFFICIAL
installed on devices such as mobile phones. The OTP is displayed on the device and 534
input or transmitted by a person. Source: TDIF. 535
Source verification. The act of verifying identity attributes and information with an 536
Authoritative Source. Source: TDIF. 537
Step up. A process where the level of assurance of an individual’s identity is 538
increased from one IP level to the next IP level. Source: TDIF. 539
Subscriber. A person who has received a credential or authenticator from a CSP. 540
Source: TDIF. 541
System testing. A way of validating systems through executing the user flows, user 542
interactions and component interactions to ensure that the system has all the required 543
functionality specified in the TDIF. Source: TDIF. 544
TDIF Accreditation Criteria. The criteria and requirements a person will be required 545
to meet to become an Identity Exchange, a Credential Service Provider, an Identity 546
Service Provider, or an Attribute Service Provider (except criteria or requirements 547
waived by the Oversight Authority) in accordance with the TDIF. Source: TDIF. 548
TDIF Accreditation Process. The process which involves a combination of 549
documentation requirements, third party evaluations and operational testing that 550
Applicants must complete to the satisfaction of the Trust Framework Accreditation 551
Authority in order to achieve Trust Framework accreditation. Source: TDIF. 552
Technical integration testing. A testing process used to validate the conformance to 553
Technical Integration requirements included in the TDIF technical profiles. Source: 554
TDIF. 555
Technical verification. The act of verifying identity attributes and information using a 556
cryptographically secure element of the document, such as a secure chip or a pdf 557
document signature. Source: TDIF. 558
Test artefacts. The products developed in the different phases of the testing life cycle 559
are known as Test Artefacts. These may be electronic documents or output from a 560
Test . Source: AS NZS ISO/IEC IEEE 29119.1-2015 561
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 27
OFFICIAL
OFFICIAL
Test case. Documents preconditions (including test data), expected results and post 562
conditions, developed for a particular test scenario in order to verify compliance 563
against a specific requirement. Source: AS NZS ISO/IEC IEEE 29119.1-2015 564
Test condition. A testable aspect of a feature, requirement or attribute Source: AS 565
NZS ISO/IEC IEEE 29119.1-2015 566
Test sets. A group of Test Cases that belong to specific tasks or feature, or where 567
there is some other reason for the Test Cases to be executed at the same time. 568
Source: AS NZS ISO/IEC IEEE 29119.1-2015 569
Test tool. A test management tool is software used to manage tests (automated or 570
manual). Source: AS NZS ISO/IEC IEEE 29119.1-2015 571
Trust framework. A term used to define the scope and purpose of the identity 572
system, determines what roles are to be included and what duties are assigned to 573
those roles, sets the eligibility requirements for entities seeking to fulfil those roles and 574
establishes the rules and regulations for processing of identity information within the 575
context of the identity system. Source: OIX. 576
Trust Framework Accreditation Authority. The entity which manages the TDIF 577
Accreditation Process and makes decisions in relation to the accreditation of 578
Applicants and Accredited Providers. In time the TFAA will be replaced by the 579
Oversight Authority. Source: TDIF. 580
Trusted device. A device for facilitating authentication that a person controls and that 581
is enrolled as part of the creation of the credential. Source: TDIF. 582
Trusted Digital Identity Framework. The TDIF contains the tools, rules and 583
accreditation criteria to govern the identity federation. It provides the required 584
structure and controls to deliver confidence to participants that all Accredited 585
Providers in the identity federation have met their accreditation obligations and as 586
such may be considered trustworthy. These obligations cover privacy, protective 587
security, accessibility and usability, risk management, records management, fraud 588
control, technical integration, service operations, identity proofing and authentication 589
credential management. Source: TDIF. 590
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 28
OFFICIAL
OFFICIAL
Trusted referee. A trusted referee is a person or organisation that holds a position of 591
trust in the community and does not have a conflict of interest, such as an Aboriginal 592
elder or reputable organisation that the person is a customer, employee or contractor 593
of, and is known and listed by the enrolling agency to perform the function of a 594
referee. The Statutory Declarations Act 1959 provides a list of people who hold a 595
position of trust in the community. Similar lists are also generally included in state and 596
territory legislation. Trusted referees may also include guardians or other people 597
nominated to act on a person’s behalf whose identities have been verified. 598
Source: NIPGs. 599
Unique in context. A digital identity is created with a unique combination of 600
legitimate personal and contact information. Different combinations of personal and 601
contact information can be used to create additional digital identities, each unique 602
within the IdP’s system. This enables people – if they choose to do so – to establish 603
one or multiple digital identities with one or multiple IdPs. Source: TDIF. 604
Use in the Community document. A government issued document or a document 605
issued by a reliable and independent source used to demonstrate the use of an 606
individual’s identity in the community over time. (e.g. a Medicare card). Source: TDIF. 607
User. A person who establishes a digital identity to obtain digital services from 608
Relying Parties. (e.g. the general public). Source: TDIF. 609
User dashboard. A collective term for the features that an Identity Exchange 610
provides to a user that has been authenticated by an Authentication Credential 611
Service Provider. Source: TDIF. 612
User experience. A person’s perceptions and responses that result from the use or 613
anticipated use of a product, system or service. For the purpose of the TDIF this 614
covers the accessibility, usability and inclusive design aspects of solution design to 615
ensure identity services are straightforward, easy to use, secure and trusted. Source: 616
ISO 9241-210. 617
User researcher. A person who focuses on understanding user behaviours, needs, 618
and motivations through observation techniques, task analysis, and other feedback 619
methodologies. Source: DTA. 620
Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 29
OFFICIAL
OFFICIAL
Validation (in an identity proofing context). A check that the attribute exists and is 621
under the control of the individual. (e.g. SMS activation code being sent to a mobile 622
phone number to confirm control of the associated phone number). Source: TDIF. 623
Validation (in an integration testing context). Testing a system under controlled 624
conditions providing evidence that the system satisfies TDIF requirements and 625
satisfies intended use and user needs. Validation involves testing that functionality 626
works as specified, designed and constructed, including testing boundary conditions 627
to ensure that the system is robust when in production. Source: TDIF. 628
Vendor. A person or company offering something for sale. Source: dictionary. 629
Verification. Provides confirmation, through the provision of objective evidence, that 630
TDIF requirements have been fulfilled. Source: TDIF. 631
White box system testing. A security testing and examination technique performed 632
by a protective security specialist. White box techniques involve direct analysis of an 633
application’s source code. White box techniques are generally more efficient and 634
cost-effective for finding security defects in custom applicants than black box 635
techniques. Source: NIST SP 800-115. 636