tdif release 4: 01 - glossary of abbreviations and terms... · 01 - glossary of abbreviations and...

OFFICIAL

OFFICIAL

01 - Glossary of Abbreviations and Terms

Trusted Digital Identity Framework (TDIF) Release 4 (R4) December 2019, version 0.3

CONSULTATION DRAFT

Digital Transformation Agency — TDIF: 01 – Glossary of Abbreviations and Terms iii

OFFICIAL

OFFICIAL

Digital Transformation Agency

This work is copyright. Apart from any use as permitted under the Copyright Act 1968

and the rights explicitly granted below, all rights are reserved.

Licence

With the exception of the Commonwealth Coat of Arms and where otherwise noted,

this product is provided under a Creative Commons Attribution 4.0 International

Licence. (http://creativecommons.org/licenses/by/4.0/legalcode)

This licence lets you distribute, remix, tweak and build upon this work, even

commercially, as long as they credit the DTA for the original creation. Except where

otherwise noted, any reference to, reuse or distribution of part or all of this work must

include the following attribution:

Trusted Digital Identity Framework (TDIF)™: 01 – Glossary of Abbreviations and

Terms © Commonwealth of Australia (Digital Transformation Agency) 2019

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the It’s an Honour website (http://www.itsanhonour.gov.au)

Contact us

The Digital Transformation Agency is committed to providing web accessible content

wherever possible. This document has undergone an accessibility check however, if

you are having difficulties with accessing the document, or have questions or

comments regarding the document please email the Director, Digital Identity Policy at

[email protected].

http://creativecommons.org/licenses/by/4.0/legalcode

http://www.itsanhonour.gov.au/

mailto:[email protected]

Digital Transformation Agency — TDIF: 01 – Glossary of Abbreviations and Terms iv

OFFICIAL

OFFICIAL

Document management

The Trust Framework Accreditation Authority (TFAA) has reviewed and endorsed this

document for release.

Change log

Version Date Author Description of the changes

0.1 July 2019 SJP Initial version (removed from the previously titled TDIF Overview and Glossary)

0.2 Sep 2019 SJP Updated to incorporate feedback provided by key stakeholders during the first round of collaboration on TDIF Release 4

0.3 Dec 2019 SJP Updated to incorporate feedback provided by key stakeholders during the second round of collaboration on TDIF Release 4

Digital Transformation Agency — TDIF: Release 4 Collaboration Draft 1

OFFICIAL

OFFICIAL

1 Glossary of abbreviations 1

Term Meaning

3DES Triple Data Encryption Standard

AACA Australian Signals Directorate Approved Cryptographic Algorithm

AACP Australian Signals Directorate Approved Cryptographic Protocol

ABN Australian Business Number

ABR Australian Business Register

ACDC Australian Commercial Disputes Centre

ACSC Australian Cyber Security Centre

ACE Australian Signals Directorate Cryptographic Evaluation

ACR Authentication Context Class Reference

AES Advanced Encryption Standard

AFP Australian Federal Police

AGIMO Australian Government Information Management Office

AGIS Australian Government Investigations Standards

AGSVA Australian Government Security Vetting Agency

AIC Australian Institute of Criminology

ALGA Australian Local Government Association

APC Approved Privacy Code

API Application Programming Interface

APP Australian Privacy Principles

ASD Australian Signals Directorate


OFFICIAL

OFFICIAL

Term Meaning

ASIC Australian Securities and Investments Commission

ASIO Australian Security Intelligence Organisation

AS NZS Australia and New Zealand Standards

B2B Business to Business

B2I Business to Individual

B2G Business to Government

CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart

CDPP Commonwealth Director of Public Prosecutions

CFC Community Footprint Check

CFCF Commonwealth Fraud Control Framework

CISO Chief Information Security Officer

CKMP Cryptographic Key Management Plan

CL Authentication Credential Level

COAG Council of Australian Governments

CoI Commencement of Identity

CSP Credential Service Provider

DH Diffie-Hellman

DHS Department of Human Services

DLM Dissemination Limiting Marker

DoH Department of Health

DFAT Department of Foreign Affairs and Trade


OFFICIAL

OFFICIAL

Term Meaning

DRBCP Disaster Recovery and Business Continuity Plan

DSA Digital Signature Algorithm

DTA Digital Transformation Agency

DVS Document Verification Service

EAL Evaluated Assurance Level

ECDH Elliptic Curve Diffie-Hellman

ECDSA Elliptic Curve Digital Signature Algorithm

EDI Electronic Data Interchange

EoI Evidence of Identity

EPL Evaluated Products List

EU GDPR European Union General Data Protection Regulations

FoD Fact of Death File

FVS Facial Verification Service

G2G Government to Government

HSM Hardware Security Module

ICT Information and Communication Technologies

IEEE Institute of Electrical and Electronics Engineers

IETF Internet Engineering Task Force

I2I Individual to Individual

I2G Individual to Government

IdP Identity Service Provider

IP Identity Proofing Level


OFFICIAL

OFFICIAL

Term Meaning

IRAP Information Security Registered Assessors Program

IRP Incident Response Plan

ISD Information Security Documents

ISM Australian Government Information Security Manual

ISO / IEC International Organisation for standardization / International Electro-technical Commission

ISP Information Security Policy

IT Information Technology

ITSA Information Technology Security Adviser

ITSM Information Technology Security Manager

ITSO Information Technology Security Officer

ITU-T International Telecommunication Union – Telecommunication Standardization Sector

LOA Level of Assurance

MitM Man in the Middle (attack)

MOA Memorandum of Agreement

MOU Memorandum of Understanding

NDES National Digital Economy Strategy

NeAF National eAuthentication Framework

NDLFRS National Driver Licence Facial Recognition Solution

NIAP National Information Assurance Partnership

NIPG National Identity Proofing Guidelines

NIST National Institute of Standards and Technology


OFFICIAL

OFFICIAL

Term Meaning

NIST SP NIST Special Publication

NPE Non-Person Entity

NTIF National Trusted Identities Framework

OA Oversight Authority

OAIC Office of the Australian Information Commissioner

OASIS Organisation for the Advancement of Structured Information Standards

OECD Organisation for Economic Co-operation and Development

OID Object Identifier

OIDC OpenID Connect 1.0

OIX Open Identity Exchange

ORs Operating Rules

OTP One-Time Password

PAD Personal Authentication Device

PESP Physical and Environmental Security Plan

PIA Privacy Impact Assessment

PII Personal Identifiable Information

PIN Personal Identification Number

PKI Public Key Infrastructure

PM&C Prime Minister and Cabinet

PORO Proof of Record Ownership

PP Protection Profile


OFFICIAL

OFFICIAL

Term Meaning

PSP Personnel Security Plan

PSPF Australian Government Protective Security Policy Framework

PSRR Protective Security Risk Review

RBDM Registries of Births, Deaths and Marriages

RCA Root Certification Authority

RFC Request for Comment

RP Relying Party

RSA Rivest-Shamir-Adleman

RTA Road Traffic and Transport Authorities

RTM Requirements Traceability Matrix

SA Services Australia

SAML Security Assertion Mark-up Language

SHA Secure Hashing Algorithm

SMS Short Message Service

SoA Statement of Applicability

SOP Standard Operating Procedure

SOW Statement of Work

SRMP Security Risk Management Plan

SSP System Security Plan

TDIF Trusted Digital Identity Framework

TFAA Trust Framework Accreditation Authority

TPISAF Third Party Identity Services Assurance Framework


OFFICIAL

OFFICIAL

Term Meaning

Top 4 Top 4 Strategies to Mitigate Cyber Security Incidents

UitC Use in the Community

UNCITRAL United Nations Commission on International Trade Law

UX User Experience


OFFICIAL

OFFICIAL

2 Glossary of terms 2

A wide variety of terms are used in the realm of identity management. While the 3

definition of many of these terms are sourced from existing government policies and 4

international standards, the definition of some terms has been modified to meet the 5

needs of the Trusted Digital Identity Framework. Where this occurs, the source is 6

listed as ‘TDIF’. 7

Accreditation. The procedure by which an authoritative body gives independent 8

attestation conveying formal demonstration of a Service Provider’s competence to 9

provide services of the kind specified in an assurance framework. Source: 10

Gatekeeper PKI Framework. 11

Accredited Participants. Organisations and government agencies that have 12

achieved TDIF accreditation. Source: TDIF. 13

Active attack. An attack on the authentication protocol where the attacker transmits 14

data to a User, Identity Service Provider, Credential Service Provider, Attribute 15

Provider, Identity Exchange or Relying Party. Examples of active attacks include man-16

in-the-middle (MitM), impersonation, and session hijacking. Source: NIST SP 800-63-17

3. 18

Alternative binding. An attestation by a referee who has either a provable 19

relationship with an individual claiming an identity (e.g. trusted referee) or has a 20

professional status such that they can reliably attest to the identity of the individual. 21

Source: TDIF. 22

Applicants. Organisations and government agencies that undergo the Trust 23

Framework Accreditation Process in the role of an Attribute Service Provider, 24

Credential Service Provider, Identity Service Provider, Identity Exchange or a 25

combination of these. Source: TDIF. 26

Assertion. A statement from a verifier to a Relying Party that contains information 27

about a subscriber. Assertions may also contain verified attributes. Source: NIST SP 28

800-63-3 29


OFFICIAL

OFFICIAL

Assessing Officer. A person who assesses applications and makes a decision about 30

whether a person meets the specified identity proofing requirements. The assessing 31

officer must be an employee of the organisation or contracted to assess applications 32

and who has demonstrated the necessary competency and aptitude to complete 33

identity verification assessments. Source: TDIF. 34

Assessor. Consultants or independent evaluators of products, processes and 35

systems who have the required skills, experience and qualifications to determine 36

whether an Applicant has met specific requirements of the TDIF. Source: TDIF. 37

Assisted digital. An interaction between a person and an Identity Service Provider 38

party aimed at successfully completing a transaction. This can include support 39

provided to a person during an in-person identity proofing process or registration 40

interview. Source: TDIF. 41

Attribute. An item of information or data associated with a subject. Examples of 42

attributes include information such as name, address, date of birth, e-mail address, 43

mobile number, etc. Source: UNCITRAL. 44

Attribute matching. A method used by a relying party to match a set of attributes to 45

existing records. Source: TDIF. 46

Attribute Service Provider. A class of accreditation supported under the TDIF. They 47

generate and manage authorisation, qualification and entitlement attributes relating to 48

people to relying parties to support their decision-making processes. Where an 49

Identity Service Provider verifies the identity of a person (e.g. I am Joe Bloggs), an 50

Attribute Provider verifies specific attributes relating to entitlements, qualifications or 51

characteristics of that person (e.g. this Joe Bloggs is authorised to act on behalf of 52

business xyz in a particular capacity).Source: TDIF. 53

Attribute Verification Service. See Authoritative Source. 54

Assessment. An independent review and examination of validity, accuracy and 55

reliability of information contained on a system to assess the adequacy of system 56

controls and ensure compliance with established policies and procedures. In the 57

context of conducting system accreditations, an audit (also known as a compliance 58

assessment) is an examination and verification of an entity’s systems and 59

procedures, measured against predetermined standards. Source: TDIF. 60


OFFICIAL

OFFICIAL

Australian Government Cyber Security Centre. Lead the Australian Government’s 61

efforts to improve cyber security. The role of the ACSC is to help make Australia the 62

safest place to connect online. Source: ACSC. 63

Australian Government Department of Health. Government agency responsible to 64

deliver policies, programs and advise to the Australian Government on health, aged 65

care and sport. The agency works with a wide range of stakeholders to ensure better 66

health for all Australians. Source: DoH. 67

Australian Government Department of Home Affairs. Government agency 68

responsible for Australia's federal law enforcement, national and transport security, 69

criminal justice, emergency management, multicultural affairs and immigration and 70

border-related functions and agencies. Source: Department of Home Affairs. 71

Australian Government Department of Human Services. Government agency 72

responsible for the development of service delivery policy and provides access to 73

social, health and other payments and services. Source: DHS. 74

Australian Government Department of Foreign Affairs and Trade. Government 75

agency that works to make Australia stronger, safer and more prosperous, to provide 76

timely and responsive consular and passport services, and to ensure a secure 77

Australian Government presence overseas. The Department provides foreign, trade 78

and development policy advise to government and works with other government 79

agencies to ensure that Australia’s pursuit of its global, regional and bilateral interests 80

is coordinated effectively. Source: DFAT. 81

Australian Government Digital Transformation Agency. Government agency 82

which helps government to improve digital services to make them simple, clear and 83

fast. Source: DTA. 84

Australian Government Information Security Manual. A manual to assist 85

Australian government agencies in applying a risk-based approach to protecting their 86

information and systems. The ISM includes a set of information security controls that, 87

when implemented, will help agencies meet their compliance requirements for 88

mitigating security risks to their information and systems. Source: ASD. 89


OFFICIAL

OFFICIAL

Australian Government Protective Security Policy Framework. Defines a series 90

of core policies and mandatory requirements with which applicable Commonwealth 91

agencies and bodies must demonstrate their compliance. These requirements cover 92

protective security governance, personnel security, information security and physical 93

security. Source: AGD. 94

Australian Institute of Criminology. Australia's national research and knowledge 95

centre on crime and justice, compiling trend data and dissemination research and 96

policy advice. Source: AIC. 97

Australian Privacy Principles. Are the cornerstone of the privacy protection 98

framework in the Privacy Act 1988. There are 13 Australian Privacy Principles and 99

they govern standards, rights and obligations around: 100

• The collection, use and disclosure of personal information. 101

• An organisation or agency’s governance and accountability. 102

• Integrity and correction of personal information. 103

• The rights of individuals to access their personal information. 104

Source: OAIC. 105

Authentication. A function for establishing the validity and assurance of a claimed 106

identity of a user, device or another entity in an information or communications 107

system. Source: OECD. 108

Authentication credential. See Credential. 109

Authentication Credential Level. The level of assurance or confidence in the 110

authentication process, ranked from lowest to highest based on the consequence of 111

incorrectly determining that a person is who they claim they are. Source: TDIF. 112

Authentication factor. A piece of information and process used to authenticate or 113

verify the identity of an entity. Source: ISO/IEC 19790. 114

Authoritative source. Repositories recognised by the TFAA that confirm the veracity 115

of asserted attributes and associated information. Authoritative sources can refer to 116

either the repositories themselves, or the methods used to access them (e.g. the DVS 117

or FVS). Source: TDIF. 118


OFFICIAL

OFFICIAL

Behavioural information or information about an individual’s behaviour. 119

Includes data on the services an individual has accessed or tried to access and when, 120

the Identity Service Provider(s) used by the individual, the method of access and 121

when their identity was verified. 122

Binding. In an identity proofing context, it is an association between a known person 123

and a person claiming their identity (e.g. Joe Bloggs exists, I am the same Joe 124

Bloggs). In an authentication context, it is an association between a subscriber’s 125

identity and a credential. Source: TDIF. 126

Biometric information (biometrics). Information about any measurable biological or 127

behavioural characteristics of a natural person that can be used to identify them or 128

verify their identity, such as face, fingerprints and voice. (Under the Privacy Act 1988 129

biometric information is considered as sensitive information, which provides additional 130

obligations on organisations.). Source: NIPG. 131

Biometric verification. Any means by which an individual can be uniquely identified 132

by evaluating their biometrics or behavioural characteristics. Source: TDIF. 133

Black box system testing. A security testing and examination technique performed 134

by a protective security specialist. Black box techniques are performed against an 135

application without source code knowledge. Black box techniques are used to assess 136

the security of individual compiled components, interactions between components, 137

applications, users, other systems and the external environment. Black box 138

techniques are also used to determine how effective an application or system can 139

handle threats. Source: NIST SP 800-115. 140

Claimant. A person whose identity is to be verified using one or more authentication 141

protocols. Source: TDIF. 142

Commencement of Identity. The first registration of an individual by a government 143

agency in Australia and includes RBDM birth registrations and issuance of Home 144

Affairs immigration documents and records1

. Source: NIPG. 145

1 In the context of the TDIF an Australian Passport is also considered a CoI document.


OFFICIAL

OFFICIAL

Commonwealth Fraud Control Framework. The Commonwealth Fraud Control 146

Framework outlines the Australian Government’s requirements for fraud control. This 147

includes a requirement that government entities have a comprehensive fraud control 148

program that covers prevention, detection, investigation and reporting strategies. 149

Source: Commonwealth Attorney-General’s Department. 150

Community Footprint Check. Confirm the operation of the identity in the community 151

over time to provide additional confidence that an identity is legitimate in that it is 152

being used in the community (including online where appropriate). Source: NIPG. 153

Consent. Means express consent or implied consent. The four key elements of 154

consent are: 155

• The individual is adequately informed before giving consent. 156

• The individual gives consent voluntarily. 157

• The consent is current and specific. 158

• The individual has the capacity to understand and communicate their consent. 159

Source: OAIC. 160

Control. Any process, policy, device, practice or other actions within the internal 161

environment of an organisation which modifies the likelihood or consequences of a 162

risk. Source: ISO 31000. 163

Council of Australian Governments. The peak intergovernmental forum in 164

Australia. The members of COAG are the Prime Minister, state and territory First 165

Ministers and the President of the Australian Local Government Association. Source: 166

COAG. 167

Credential. The technology used to authenticate a user’s identity. The user 168

possesses the credential and controls its use through one or other authentication 169

protocols. A credential may incorporate a password, cryptographic key or other form 170

of secret. Source: NIPG. 171

Credential management. The ‘lifecycle’ approach associated with a credential 172

including creation, initialisation, personalisation, issue, maintenance, recovery, 173

cancellation, verification and event logging. Source: TDIF. 174


OFFICIAL

OFFICIAL

Credential Service Provider. A class of accreditation supported under the TDIF. A 175

CSP generates and manages authentication credentials which are provided to 176

people. This function may be internalised within an IdP. Source: TDIF. 177

Cryptographically secure verification. Verifying the integrity of the information on a 178

credential using an approved cryptographic process such as the RFID chip in an e-179

passport or the signature on a pdf. Source: TDIF. 180

Cyber security incident. An occurrence or activity of a system, service or network 181

state indicating a possible breach of protective security policy or failure of safeguards, 182

or a previously unknown situation that may be security relevant. Examples include: 183

• Receiving suspicious or seemingly targeted emails with attachments or links. 184

• Any compromise or corruption of information. 185

• Unauthorised access or intrusion into an identity service. 186

• Data spill. 187

• Intentional or accidental introduction of viruses to a network. 188

• Denial of service attacks. 189

• Suspicious or unauthorised network activity. 190

Source: ISM. 191

Deduplication. The process of determining whether two or more digital identity 192

records relate to the same person or a different person, whether within a single IDP 193

(IDP deduplication), or across multiple IDPs, at the Exchange (ecosystem 194

deduplication). Source: TDIF. 195

Digital identity. An electronic representation of an entity (individual or other entity 196

such as a business) and how people and other entities are recognised online. An 197

individual’s digital identity for instance is an amalgamation of personal attributes and 198

information available online that can be bound to that individual. Source: TDIF. 199

Document Verification Service. A national online system that checks whether the 200

biographic information on an identity document matches the original record. The 201

result will simply be ‘yes’ or ‘no’. The DVS does not check facial images. The DVS 202

makes it harder for people to use fake identity documents. The DVS has been 203

operational since 2009. Both the public and private sector use the DVS. Source: ID 204

Match (Department of Home Affairs). 205


OFFICIAL

OFFICIAL

Double blind. Refers to the aspects of the TDIF that require the Identity Exchange to 206

mediate interactions between Participants on the system. Double-blind applies 207

between: 208

• The Relying Party and the Identity Service Provider. 209

• The Identity Service Provider and the Attribute Provider. 210

• The Relying Party and the Attribute Provider, unless otherwise approved by the 211

Oversight Authority. 212

Double blind does not apply between the Credential Service Provider and the Identity 213

Service Provider. Source: TDIF. 214

End user. A person that interacts with a TDIF participant’s service. Source: TDIF. 215

Entity. Something that has separate and distinct existence and that can be identified 216

in a context. Note: an entity can be a physical person, an organization, an active or 217

passive thing, a device, a software application, a service, etc. Source: ITU-T Rec 218

X.1252. 219

Essential Eight. No single mitigation strategy is guaranteed to prevent cyber security 220

incidents. Government agencies and organisations are recommended to implement 221

essential eight mitigation strategies as a baseline. This baseline, known as the 222

Essential Eight, makes it much harder for adversaries to compromise systems. 223

Furthermore, implementing the Essential Eight pro-actively can be more cost-effective 224

in terms of time, money and effort than having to respond to a large-scape cyber 225

security incident. Source: ACSC. 226

Evidence of Identity. Information that a person may present to support assertions or 227

claims to a particular identity. The types of evidence that, when combined, provide 228

confidence that a person is who they say they are and that the identity is valid and not 229

known to be fraudulent. This evidence may be provided in the form of identity 230

documents or other card-based credentials that contain key attributes (such as name, 231

date of birth, unique identifier) or provide information on a person’s ‘pattern of life’ or 232

‘community footprint'. Source: NIPG. 233

Express consent. is given explicitly, either orally or in writing. This could include a 234

handwritten signature, or oral statement, or use of an electronic medium or voice 235

signature to signify agreement. Source: OAIC. 236


OFFICIAL

OFFICIAL

Face Verification Service. A national online system that compares a photo against 237

the image used on identity documents. The FVS can: 238

• Make access to government services more convenient for customers by 239

avoiding the need to attend a shopfront. 240

• Help victims of identity crime reclaim their identity faster. 241

• Help prevent identity theft by detecting fake or stolen documents. 242

Source: ID Match (Australian Government Department of Home Affairs). 243

Fact of Death File. Is a compilation of death records from each of the data 244

custodians. These files contain full name, date of birth and residential address details 245

of all the people who have died in Australia. Data files are available on the Australian 246

Coordinating Registry dating back to 1992. Source: Queensland Government. 247

Family name. A person’s last name or surname. The ordering of family name and 248

given names varies among cultures. Some cultures do not recognise a ‘family’ name; 249

In Australia the last name is usually adopted as the family name. Source: Department 250

of Home Affairs. 251

Fraud. Dishonestly obtaining a benefit, or causing a loss, by deception or other 252

means. Source: Commonwealth Fraud Control Policy. 253

In the context of TDIF accreditation, fraud against an Applicant or accredited Provider 254

may include (but is not limited to): 255

• Theft 256

• Accounting fraud (e.g. false invoices, misappropriation) 257

• Unlawful use of, or unlawful obtaining of equipment, material or services. 258

• Causing a loss or avoiding and/or creating a liability. 259

• Providing false or misleading information or failing to provide information when 260

there is an obligation to do so. 261

• Misuse of assets, equipment or facilities. 262

• Making or using, false, forged or falsified documents. 263

• Wrongfully using information or intellectual property. 264

Gatekeeper Public Key Infrastructure Framework. The Australian Government's 265

policy and accreditation framework for the use of PKI by Australian Government 266

agencies. Source: Gatekeeper PKI Framework. 267


OFFICIAL

OFFICIAL

Given name. Given names include combinations of first name/s, forename, Christian 268

name/s, middle name/s and second name/s. Source: Department of Home Affairs. 269

Identity. A set of the attributes about a person that uniquely describes the person 270

within a given context. Source: UNCITRAL. 271

Identity attribute. A piece of information relating to identity. (e.g. full name or date of 272

birth or biometric information). Source: TDIF. 273

Identity crime. Activities or offences in which a perpetrator uses a fabricated, 274

manipulated, stolen or otherwise fraudulently assumed identity to facilitate the 275

commission of crime. Source: NIPG. 276

Identity document. Any document or other thing that contains or incorporates 277

identification information and that is capable of being used as evidence of identity. 278

Source: NIPG. 279

Identity document issuer. An Australian government entity or approved entity that 280

issues identity documents, such as Passports, Driver’s Licences or Proof of Age 281

cards. Source: TDIF. 282

Identity Exchange. A class of accreditation supported under the TDIF. An Identity 283

Exchange conveys, manages and coordinates the flow of identity attributes and 284

assertions between members of the identity federation. Once an Identity Exchange 285

has been granted accreditation it becomes a trusted core element of the identity 286

federation. Source: TDIF. 287

Identity federation. A group of Participants that work together to ensure identity-288

related information can be relied on by Relying Parties to make risk-based decisions. 289

Synonyms: Multi-party identity system, federated identity management system, 290

identity ecosystem. Source: TDIF. 291

Identity fraud. The gaining of money, goods, services or other benefits or the 292

avoidance of obligations through the use of a fabricated, manipulated, stolen or 293

otherwise fraudulently assumed identity. Source: NIPG. 294


OFFICIAL

OFFICIAL

Identity matching. The process completed by a relying party that determines 295

whether a single digital identity relates to an existing record or is a new person. 296

Source: TDIF. 297

Identity Proofing. Identity proofing refers to the process of collecting, verifying, and 298

validating sufficient identity attributes about a specific person to define and confirm 299

their identity. Source: TDIF. 300

Identity Proofing Level. An IP level describes the level of assurance or confidence in 301

the identity proofing process ranked from lowest to highest based on the 302

consequence of incorrectly identifying a person. Source: TDIF. 303

Identity resolution. The process of determining whether multiple records relate to 304

the same person or a different person, including digital identity records at one or more 305

identity providers and/or the Exchange, and/or agency records at a relying party. 306

Source: TDIF. 307

Identity Service Provider. A class of accreditation supported under the TDIF. An IdP 308

creates, maintains and manages trusted identity information of people and offers 309

identity-based services. In the context of the TDIF, an Identity Service Provider 310

carries out identity proofing. Source: TDIF. 311

Identity theft. The fraudulent use of a person’s identity (or a significant part thereof) 312

without consent, whether the person is living or deceased. Source: NIPG. 313

Implied consent. Implied consent arises when consent may reasonably be inferred in 314

the circumstances from the conduct of the individual and the APP entity. Source: 315

OAIC. 316

In-person interaction. Communication between two or more natural persons which 317

occurs in the physical world. Source: TDIF. 318

Individual. A natural person (i.e. human). Source: Acts Interpretation Act 1901. 319

Information Security Manual. See Australian Government Information Security 320

Manual. Information Security Registered Assessors Program. An Australian 321

Signals Directorate initiative to provide high quality information and communications 322

technology security assessment services to government. Source: ASD. 323


OFFICIAL

OFFICIAL

Internal system user. An employee, secondee or third party authorised by the 324

Participant’s organisation or agency to access and perform functions on the identity 325

service. E.g. a system administrator. Source: TDIF. 326

IRAP assessment. A review by an IRAP Assessor of the implementation, 327

appropriateness and effectiveness of the information security controls within a 328

computing environment. Source: ASD. 329

IRAP Assessor is an ASD certified information security professional endorsed to 330

provide information security services to Australian governments who can provide an 331

independent assessment of information security, suggest mitigations and highlight 332

residual risks. Source: ASD. 333

Key. A string of characters used with a cryptographic algorithm to encrypt and 334

decrypt. Source: Gatekeeper PKI Framework. 335

Knowledge Based Authentication. See Shared Secrets. 336

Linking document. A document which demonstrates the continuity of the claimed 337

identity where identity attributes, such as name or date of birth, have changed. 338

Source: TDIF. 339

Liveness detection. The measurement and analysis of anatomical characteristics or 340

involuntary or voluntary reactions, in order to determine if a biometric sample is being 341

captured from a living subject present at the point of capture. Liveness detection 342

methods are a subset of presentation attack detection methods. Source: ISO/IEC 343

30107-1:2016. 344

MAY. Means truly optional. This requirement has no impact on an Applicant’s ability 345

to achieve or maintain TDIF accreditation if it is implemented or ignored. Source: 346

TDIF. 347

Memorandum of Understanding. An agreement between two or more parties which 348

expresses the terms and intended common action of the parties. Source: TDIF. 349

Memorised secret. Commonly referred to as a password or, if numeric, a PIN, is a 350

secret value chosen and memorised by the user. Source: TDIF. 351


OFFICIAL

OFFICIAL

Multi-factor authentication. An authentication protocol that relies on more than one 352

authentication factor for successful authentication. Source: NeAF. 353

Multi-factor cryptographic (device). A hardware device that performs cryptographic 354

operations using one or more protected cryptographic keys and requires activation 355

through a second authentication factor (either something a person knows or 356

something a person is). Source: TDIF. 357

Multi-factor cryptographic (software). A cryptographic key stored on disk or some 358

other "soft" media that requires activation through a second authentication factor 359

(either something a person knows or something a person is). Source: TDIF. 360

Multi-factor cryptographic (trusted device). A Multi-factor Cryptographic device 361

that has been evaluated by ASD and is on the ASD Evaluated Products List. Source: 362

TDIF. 363

Multi-factor One-Time Password. A trusted device that generates OTPs as part of 364

an authentication activity. This includes hardware devices and software-based OTP 365

generators installed on devices such as mobile phones. The OTP is displayed on the 366

device and input or transmitted by a person, proving possession and control of the 367

device. Source: TDIF. 368

MUST. Means an absolute requirement of the TDIF. Failure to meet this requirement 369

will impact the Applicant’s ability to achieve and maintain TDIF accreditation. Source: 370

TDIF. 371

MUST NOT. Means an absolute prohibition of the TDIF. Failure to prevent this 372

prohibition from occurring will impact the Applicant’s ability to achieve and maintain 373

TDIF accreditation. Source: TDIF. 374

National e-Authentication Framework. A risk-based approach applied to identify 375

and authenticate people to a desired level of assurance for online interactions. 376

Source: NeAF. 377

National Identity Proofing Guidelines. The Council of Australian Government's 378

national guidelines for identity proofing. The TDIF Identity Proofing Requirements are 379

broadly based on the NIPG. Source: Department of Home Affairs. 380


OFFICIAL

OFFICIAL

Non-Person Entity. An entity with a digital identity that acts in the digital environment 381

but is not a human actor. This can include organisations, hardware devices, software 382

applications, and information artefacts. Also see individual. Source: NIST. 383

One-Time Password. A password that is changed each time it is required. Source: 384

NeAF. 385

Operating Rules. Sets out the legal framework for the operation of the identity 386

federation, including key rights, obligations and liabilities of participants. Source: 387

TDIF. 388

Out-of-band device. A physical device that uses an alternative channel for 389

transmitting information – e.g. an SMS to send a PIN or one-time password. Source: 390

TDIF. 391

Oversight Authority. The entity responsible for the administration and oversight of 392

the identity federation in accordance with the Operating Rules and TDIF, including 393

making decisions about which Applicants should be accredited, which Accredited 394

Providers’ accreditation should be continued, and which Relying Parties are approved 395

to join. Source: TDIF. 396

Participant. The Oversight Authority and each Identity Exchange, Attribute Service 397

Provider, Credential Service Provider, Identity Service Provider and Relying Party that 398

operate in the identity federation. Source: TDIF. 399

Person. Expression used to denote generally (such as ‘person’, ‘party’, ‘someone’, 400

‘anyone’, ‘no-one’, ‘one’, ‘another’ and ‘whoever’), include a body politic or corporate 401

as well as an individual. Source: Acts Interpretation Act 1901. 402

Personal information. information or an opinion about an identified individual, or an 403 individual who is reasonably identifiable: 404

a) Whether the information or opinion is true or not; and 405

b) whether the information or opinion is recorded in a material form or not. 406

Source: Privacy Act 1988. 407

Personnel. Any member of a Participant’s staff or contracted service provider’s staff 408

used to service the Participant’s contracts, or other people who provide services to 409


OFFICIAL

OFFICIAL

the agency or access Participant information or assets as part of sharing initiatives. 410

Source: PSPF (adapted by DTA). 411

Photo ID. Photographic Identification (Photo ID). An identity document with attributes 412

and includes a facial image of the identity document holder that are verifiable with an 413

Authoritative Source. Source: TDIF. 414

Presentation attack. Presentation to a data capture subsystem with the goal of 415

interfering with the operation of the data system. A Presentation attack can be 416

implemented through a number of methods, e.g. artefact, mutilations, replay, etc. 417

Source: ISO/IEC 30107-1:2016. 418

Privacy Champion. Is a senior official within the agency who has the functions of: 419

a. promoting a culture of privacy within the agency that values and protects 420

personal information; 421

b. providing leadership within the agency on broader strategic privacy 422

issues; 423

c. reviewing and/or approving the agency’s privacy management plan, and 424

documented reviews of the agency’s progress against the privacy 425

management plan; and 426

d. providing regular reports to the agency’s executive, including about any 427

privacy issues arising from the agency’s handling of personal 428

information. Source Privacy (Australian Government Agencies – 429

Governance) APP Code 2017. 430

Privacy Impact Assessment. A systematic assessment of an identity service that 431

identifies the impact that the identity service might have on the privacy of people, and 432

sets out recommendations for managing, minimising or eliminating that impact. 433

Source: OAIC. 434

Proof of Record Ownership. A method of performing identity matching at a Relying 435

Party, which handles scenarios where there is an uncertain potential match, by 436

requesting the user to answer questions which demonstrate record ownership. 437

Source: DHS. 438

Protective security documentation. The minimum set of documents that an 439

Applicant develops as part of meeting the protective security obligations of TDIF 440

accreditation. Source: TDIF. 441


OFFICIAL

OFFICIAL

Public Key Infrastructure. The combination of hardware, software, people, policies 442

and procedures needed to create, manage, store and distribute keys and certificates 443

based on public key cryptography. Source: Gatekeeper PKI Framework. 444

Registries of Births, Deaths and Marriages. Register a birth, apply for a certificate, 445

change your name or search your family history. The registration of births, deaths and 446

marriages, changes of name, changes of sex, adoptions and provision of certificates 447

is the responsibility of the state and territory governments in Australia. Source: 448

Australian Government 449

Relying Party. An organisation or government agency that relies on verified identity 450

information, attributes or assertions provided by identity service providers and 451

attribute providers through an identity exchange to enable the provision of a digital 452

service. Source: TDIF. 453

Repudiation. A denial by a person that an act attributed to them was performed by 454

them. Examples of such an act include an Assertion, a declaration and a transaction. 455

Source: NeAF. 456

Requirements Traceability Matrix. Captures the output from requirements tracing, a 457

process of documenting the links between the requirements and the Test Cases 458

developed to verify and validate those requirements (see Vendor. A person or 459

company offering something for sale. Source: dictionary. 460

Verification and Validation). Source: AS NZS ISO/IEC IEEE 29119.1-2015 461

Risk. The effect of uncertainty on objectives. An effect is a deviation from the 462

expected – positive and/or negative. Risk is often expressed in terms of a 463

combination of the consequences of an event (including changes in circumstances or 464

knowledge) and the associated likelihood of occurrence. Source: ISO 31000:2018. 465

Risk appetite. The amount and type of risk an entity is willing to accept or retain in 466

order to achieve its objectives. It is a statement or series of statements that describes 467

the organisation’s attitude toward risk taking. Source: ISO 31000:2018. 468

Risk assessment. The process of risk identification, risk analysis and risk evaluation. 469

Source: ISO 31000:2018. 470


OFFICIAL

OFFICIAL

Risk-based testing. Testing in which the management, control, priority is based upon 471

the Risk Rating assigned to the requirement. Source: AS NZS ISO/IEC IEEE 472

29119.1-2015 473

Risk management. The coordinated activities and actions taken to ensure that an 474

organisation is conscious of the risks it faces, makes coordinated and informed 475

decisions in managing those risks and identifies potential opportunities. Source: 476

ISO 31000:2018. 477

Risk management framework. A set of components that provide the foundations 478

and organisational arrangements for designing, implementing, monitoring, reviewing 479

and continually improving risk management throughout the organisation. Source: 480

ISO 31000:2018. 481

Risk profile. A description of any set of risks. The set of risks can contain those that 482

relate to the whole organisation, part of the organisation or as otherwise defined. 483

Source: ISO 31000:2018. 484

Risk tolerance. The levels of risk taking that are acceptable in order to achieve a 485

specific objective or manage a category of risk. Source: ISO 31000:2018. 486

Road Traffic and Transport Authorities. State and territory governments have 487

responsibility for roads and road transport within their jurisdiction. Their websites may 488

include information about traffic and road conditions, road construction, road rules, 489

and road safety, as well as vehicle registration and licensing. Source: Australian 490

Government. 491

Sensitive information. Information or an opinion about an individual’s: 492

• Racial or ethnic origin; or 493

• Political opinions; or 494

• Membership of a political association; or 495

• Religious beliefs or affiliations; or 496

• Philosophical beliefs; or 497

• Membership of a professional or trade association; or 498

• Membership of a trade union; or 499

• Sexual orientation or practices; or 500

• Criminal record; or 501

• That is also personal information; or 502

• Health information about an individual; or 503


OFFICIAL

OFFICIAL

• Genetic information about an individual that is not otherwise health information; or 504

• Biometric information that is to be used for the purpose of automated biometric 505 verification or biometric identification; or 506

• Biometric templates. 507

Source: Privacy Act 1988. 508

Serious and complex fraud. Fraud which due to its size or nature, is considered too 509

complex for most entities to investigate. Source: Commonwealth Fraud Control 510

Policy. 511

Service operations testing. The testing process that covers the testing required to 512

validate that the testable aspects of operating an In-Service (Production) system 513

demonstrate conformance to the Service Operation Requirements. Source: TDIF. 514

Session. Once authentication has taken place a session may be established to allow 515

a person to continue accessing the service across multiple subsequent interactions 516

without requiring repeated authentication. Source: TDIF. 517

Shared risk. A risk with no single owner, where more than one entity is exposed to or 518

can significantly influence the risk. The responsibility for managing a shared risk is 519

shared by all relevant identity federation participants and will benefit from a 520

coordinated response where one identity federation participant takes a lead role. 521

Source: TDIF. 522

Shared Secret. A secret used in authentication that is known to the subscriber and 523

the verifier. Source: TDIF. 524

Sighting. The examination of a document by a trained operator to confirm the 525

authenticity of the identity document. Source: TDIF. 526

Single-factor authentication. An authentication protocol that relies on only one 527

authentication factor for successful authentication. Source: TDIF. 528

Single-factor cryptographic (software). A cryptographic key stored in some form of 529

‘soft’ media. Authentication is accomplished by proving possession and control of the 530

key. Source: TDIF. 531

Single-factor One-Time Password (device). A device that generates OTPs, 532

including hardware devices (e.g. a dongle), SMS or software-based OTP generators 533


OFFICIAL

OFFICIAL

installed on devices such as mobile phones. The OTP is displayed on the device and 534

input or transmitted by a person. Source: TDIF. 535

Source verification. The act of verifying identity attributes and information with an 536

Authoritative Source. Source: TDIF. 537

Step up. A process where the level of assurance of an individual’s identity is 538

increased from one IP level to the next IP level. Source: TDIF. 539

Subscriber. A person who has received a credential or authenticator from a CSP. 540

Source: TDIF. 541

System testing. A way of validating systems through executing the user flows, user 542

interactions and component interactions to ensure that the system has all the required 543

functionality specified in the TDIF. Source: TDIF. 544

TDIF Accreditation Criteria. The criteria and requirements a person will be required 545

to meet to become an Identity Exchange, a Credential Service Provider, an Identity 546

Service Provider, or an Attribute Service Provider (except criteria or requirements 547

waived by the Oversight Authority) in accordance with the TDIF. Source: TDIF. 548

TDIF Accreditation Process. The process which involves a combination of 549

documentation requirements, third party evaluations and operational testing that 550

Applicants must complete to the satisfaction of the Trust Framework Accreditation 551

Authority in order to achieve Trust Framework accreditation. Source: TDIF. 552

Technical integration testing. A testing process used to validate the conformance to 553

Technical Integration requirements included in the TDIF technical profiles. Source: 554

TDIF. 555

Technical verification. The act of verifying identity attributes and information using a 556

cryptographically secure element of the document, such as a secure chip or a pdf 557

document signature. Source: TDIF. 558

Test artefacts. The products developed in the different phases of the testing life cycle 559

are known as Test Artefacts. These may be electronic documents or output from a 560

Test . Source: AS NZS ISO/IEC IEEE 29119.1-2015 561


OFFICIAL

OFFICIAL

Test case. Documents preconditions (including test data), expected results and post 562

conditions, developed for a particular test scenario in order to verify compliance 563

against a specific requirement. Source: AS NZS ISO/IEC IEEE 29119.1-2015 564

Test condition. A testable aspect of a feature, requirement or attribute Source: AS 565

NZS ISO/IEC IEEE 29119.1-2015 566

Test sets. A group of Test Cases that belong to specific tasks or feature, or where 567

there is some other reason for the Test Cases to be executed at the same time. 568

Source: AS NZS ISO/IEC IEEE 29119.1-2015 569

Test tool. A test management tool is software used to manage tests (automated or 570

manual). Source: AS NZS ISO/IEC IEEE 29119.1-2015 571

Trust framework. A term used to define the scope and purpose of the identity 572

system, determines what roles are to be included and what duties are assigned to 573

those roles, sets the eligibility requirements for entities seeking to fulfil those roles and 574

establishes the rules and regulations for processing of identity information within the 575

context of the identity system. Source: OIX. 576

Trust Framework Accreditation Authority. The entity which manages the TDIF 577

Accreditation Process and makes decisions in relation to the accreditation of 578

Applicants and Accredited Providers. In time the TFAA will be replaced by the 579

Oversight Authority. Source: TDIF. 580

Trusted device. A device for facilitating authentication that a person controls and that 581

is enrolled as part of the creation of the credential. Source: TDIF. 582

Trusted Digital Identity Framework. The TDIF contains the tools, rules and 583

accreditation criteria to govern the identity federation. It provides the required 584

structure and controls to deliver confidence to participants that all Accredited 585

Providers in the identity federation have met their accreditation obligations and as 586

such may be considered trustworthy. These obligations cover privacy, protective 587

security, accessibility and usability, risk management, records management, fraud 588

control, technical integration, service operations, identity proofing and authentication 589

credential management. Source: TDIF. 590


OFFICIAL

OFFICIAL

Trusted referee. A trusted referee is a person or organisation that holds a position of 591

trust in the community and does not have a conflict of interest, such as an Aboriginal 592

elder or reputable organisation that the person is a customer, employee or contractor 593

of, and is known and listed by the enrolling agency to perform the function of a 594

referee. The Statutory Declarations Act 1959 provides a list of people who hold a 595

position of trust in the community. Similar lists are also generally included in state and 596

territory legislation. Trusted referees may also include guardians or other people 597

nominated to act on a person’s behalf whose identities have been verified. 598

Source: NIPGs. 599

Unique in context. A digital identity is created with a unique combination of 600

legitimate personal and contact information. Different combinations of personal and 601

contact information can be used to create additional digital identities, each unique 602

within the IdP’s system. This enables people – if they choose to do so – to establish 603

one or multiple digital identities with one or multiple IdPs. Source: TDIF. 604

Use in the Community document. A government issued document or a document 605

issued by a reliable and independent source used to demonstrate the use of an 606

individual’s identity in the community over time. (e.g. a Medicare card). Source: TDIF. 607

User. A person who establishes a digital identity to obtain digital services from 608

Relying Parties. (e.g. the general public). Source: TDIF. 609

User dashboard. A collective term for the features that an Identity Exchange 610

provides to a user that has been authenticated by an Authentication Credential 611

Service Provider. Source: TDIF. 612

User experience. A person’s perceptions and responses that result from the use or 613

anticipated use of a product, system or service. For the purpose of the TDIF this 614

covers the accessibility, usability and inclusive design aspects of solution design to 615

ensure identity services are straightforward, easy to use, secure and trusted. Source: 616

ISO 9241-210. 617

User researcher. A person who focuses on understanding user behaviours, needs, 618

and motivations through observation techniques, task analysis, and other feedback 619

methodologies. Source: DTA. 620


OFFICIAL

OFFICIAL

Validation (in an identity proofing context). A check that the attribute exists and is 621

under the control of the individual. (e.g. SMS activation code being sent to a mobile 622

phone number to confirm control of the associated phone number). Source: TDIF. 623

Validation (in an integration testing context). Testing a system under controlled 624

conditions providing evidence that the system satisfies TDIF requirements and 625

satisfies intended use and user needs. Validation involves testing that functionality 626

works as specified, designed and constructed, including testing boundary conditions 627

to ensure that the system is robust when in production. Source: TDIF. 628

Vendor. A person or company offering something for sale. Source: dictionary. 629

Verification. Provides confirmation, through the provision of objective evidence, that 630

TDIF requirements have been fulfilled. Source: TDIF. 631

White box system testing. A security testing and examination technique performed 632

by a protective security specialist. White box techniques involve direct analysis of an 633

application’s source code. White box techniques are generally more efficient and 634

cost-effective for finding security defects in custom applicants than black box 635

techniques. Source: NIST SP 800-115. 636