<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
A [{$pagename}] is a [claim] (or set of [claims]) made by an [entity] about an [Digital Identity].[1] 


A [Credential Holder] makes a [Claim] that the password for a specific [Digital Identity] has a specific value. Or a [Credential Holder] may just supply that they [Authenticated] the [Digital Identity] to some specific [Level Of Assurance]


[Authentication] is the process of the [Verification] of a [{$pagename}]


[{$pagename}] may be as subtle as a [Website] associating an [IP Address] with a [cookie]. Although this [{$pagename}] may have a very low [Level Of Assurance], it is a method of [Authentication] and an [Identification] which separates this specific [Entity] from the [Anonymity Set].


[{$pagename}] is [evidence] of an [entity]’s claimed [Identification]. 

!! [{$pagename}] types
[{$pagename}]s come in many types, from physical papers, [Identity Documents] and cards (such as a passport or [Payment Card]) to electronic items (such as a [password] or digital [certificate]), and often incorporate anti-tamper features. 

Within the [United States federal government] a [Personal Identity Verification] ([PIV]) is a [credential].


[{$pagename}] regardless what type, associate an identity with an [entity] (typically via an identifier) and identify the [Organizational Entity] that issued the [{$pagename}]:
* Your [Driver License] includes a license number, your name, and a state seal.
* An [Payment Card] includes a card number, your name, and a corporate symbol.
* A PIV credential contains a picture, the issuing agency logo, and [cryptographic] key pairs

Some [{$pagename}] indicate [authorizations] granted to the [entity] by the issuing [Organizational Entity]. For [example], a [Driver License] includes the [authorization] to drive a car.

Unlike identities, [{$pagename}] generally expire. If an identity continues past the expiration date of the [{$pagename}], a new credential is issued:
* Your [Driver License] expires after so many years and you receive a new one.
* Your [Payment Card] expires after so many years and you receive a new one.
* Your [PIV] credential expires after three to six years and you receive a new one.

A [{$pagename}] that is lost or compromised before it expires may be revoked by the organization that issued it. Credentials can incorporate something you know (such as a password or PIN), something you have (such as a card), or something you are (such as a fingerprint or iris). Some credentials incorporate more than one option, and are referred to as two-factor or three-factor or multi-factor.

As with [Identity Proofing], [{$pagename}]s have different [Level Of Assurance] depending on the strength required. The [{$pagename}] for accessing your bank account is likely stronger than the credential for accessing your health club.

!! Good [{$pagename}]
A good [{$pagename}] must meet the following criteria:
* easy to remember
* easy to change
* hard to guess
* hard to [intercept|Data In Transit]
then it's a good set of credentials.


!! [Derived Credential][2]
[NIST] has defined Derived credentials to refer to credentials that are derived from those in a [Personal Identity Verification] ([PIV]) card or [Common Access Card] ([CAC]) and carried in a [Mobile Device] instead of the card. A [CAC] card is a [PIV] card issued by the [United States Department of Defense]

We assume this would be similar to the adding of a [Payment Card] to a [Digital Wallet].

[NIST.SP.800-157] is titled &quot;Guidelines for Derived Personal Identity Verification (PIV) Credentials&quot;.

The Electronic Authentication Guideline, [NIST.SP.800-63], defines a derived credential more broadly as:
A [credential] issued based on [Proof-of-Possession] and control of a [claim] associated with a previously issued [credential], so as not to duplicate the [Identity Proofing] process.

!! [Compromised Credential]
[Compromised Credentials] are any [Credentials] that the Owner is not in control of or that another [entity] has gained access to the [credential]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Identity Credentials 1.0|https://opencreds.org/specs/source/identity-credentials/|target='_blank'] - based on information obtained 2017-10-15- 
* [#2] - [Protecting Derived Credentials without Secure Hardware in Mobile Devices|http://pomcor.com/2014/04/01/protecting-derived-credentials-without-secure-hardware-in-mobile-devices/|target='_blank'] - based on information observed on 2014-04-02

</pre>