Full Title or Meme
- The original digital Credential was just a shared secret, usually called a Password.
- More secure Credentials keep private keys which are used to build an Identity Token which can include anti-replay elements, that (with User Consent) is sent to a requester.
- The only truly secure Credential is one with a secret that the Subject owns and controls.
- The secret in the credential cannot be shared in any know scalable secure manner, so it must simple be the source of some Authentication response that is secure from spoofing and replay.
- A Certificate binds a credential to an Identifier of its Subject as well as (potentially) other Attributes.
- Often there is also a binding to some sort of real-world credential, typically a piece of paper with a seal.
- NIST 800-63 (all versions) describe a Credential Service Provider which is designed to issue credentials to users after they by had the Identity Proofing prior to employment by the government. This flow can be substantially different in commercial systems, but there is always a need to verify the security of the user's private key or other secret that is a part of a credential.
- Web Authentication defines a Public Key Credential as data one entity presents to another in order to authenticate the former to the latter [RFC4949]. The term public key credential refers to one of: a public key credential source, the possibly-attested credential public key corresponding to a public key credential source, or an authentication assertion. Which one is generally determined by context.