From MgmtWiki
Revision as of 11:51, 20 July 2019 by Tom (talk | contribs) (Problems)

Jump to: navigation, search

Full Title or Meme

A Credential in the digital realm is a structure which contains, at a minimum, a secret value which can be used in Authentication of a Subject.


  • The original digital Credential was just a shared secret, usually called a Password.
  • More secure Credentials keep private keys which are used to build an Identity Token which can include anti-replay elements, that (with User Consent) is sent to a requester.


  • The only truly secure Credential is one with a secret that the Subject owns and controls.
  • The secret in the credential cannot be shared in any know scalable secure manner, so it must simple be the source of some Authentication response that is secure from spoofing and replay.

RFC 4949 Definiton

The following taken from rfc 4949 give some history and some challenges around the use of the word Credential.

  1. /authentication/ "identifier credential": A data object that is a portable representation of the association between an identifier and a unit of authentication information, and that can be presented for use in verifying an identity claimed by an entity that attempts to access a system. Example: X.509 public-key certificate. (See: anonymous credential.)
  2. /access control/ "authorization credential": A data object that is a portable representation of the association between an identifier and one or more access authorizations, and that can be presented for use in verifying those authorizations for an entity that attempts such access. Example: X.509 attribute certificate. (See: capability token, ticket.)
  3. /OSIRM/ "Data that is transferred to establish the claimed identity of an entity." [I7498-2] Deprecated Definition: IDOCs SHOULD NOT use the term with definition 3. As explained in the tutorial below, an authentication process can involve the transfer of multiple data objects, and not all of those are credentials.
  4. /U.S. Government/ "An object that is verified when presented to the verifier in an authentication transaction." Deprecated Definition: IDOCs SHOULD NOT use the term with definition 4; it mixes concepts in a potentially misleading way. For example, in an authentication process, it is the identity that is "verified", not the credential; the credential is "validated". (See: validate vs. verify.)
     Tutorial: In general English, "credentials" are evidence or
     testimonials that (a) support a claim of identity or authorization
     and (b) usually are intended to be used more than once (i.e., a
     credential's life is long compared to the time needed for one
     use). Some examples are a policeman's badge, an automobile
     driver's license, and a national passport. An authentication or
     access control process that uses a badge, license, or passport is
     outwardly simple: the holder just shows the thing.
     The problem with adopting this term in Internet security is that
     an automated process for authentication or access control usually
     requires multiple steps using multiple data objects, and it might
     not be immediately obvious which of those objects should get the
     name "credential".
     For example, if the verification step in a user authentication
     process employs public-key technology, then the process involves
     at least three data items: (a) the user's private key, (b) a
     signed value -- signed with that private key and passed to the
     system, perhaps in response to a challenge from the system -- and
     (c) the user's public-key certificate, which is validated by the
     system and provides the public key needed to verify the signature.
     -  Private key: The private key is *not* a credential, because it
        is never transferred or presented. Instead, the private key is
        "authentication information", which is associated with the
        user's identifier for a specified period of time and can be
        used in multiple authentications during that time.
     -  Signed value: The signed value is *not* a credential; the
        signed value is only ephemeral, not long lasting. The OSIRM
        definition could be interpreted to call the signed value a
        credential, but that would conflict with general English.
     -  Certificate: The user's certificate *is* a credential. It can
        be "transferred" or "presented" to any person or process that
        needs it at any time. A public-key certificate may be used as
        an "identity credential", and an attribute certificate may be
        used as an "authorization credential".


  • A Certificate binds a credential to an Identifier of its Subject as well as (potentially) other Attributes.
  • Often there is also a binding to some sort of real-world credential, typically a piece of paper with a seal.
  • NIST 800-63 (all versions) describe a Credential Service Provider which is designed to issue credentials to users after they by had the Identity Proofing prior to employment by the government. This flow can be substantially different in commercial systems, but there is always a need to verify the security of the user's private key or other secret that is a part of a credential.
  • Web Authentication defines a Public Key Credential as data one entity presents to another in order to authenticate the former to the latter [RFC4949]. The term public key credential refers to one of: a public key credential source, the possibly-attested credential public key corresponding to a public key credential source, or an authentication assertion. Which one is generally determined by context.