Authentication, Authorisation and Identity (AAI)
Now available:
- JISC Levels of Identity Assurance Project Reports
- JISC Identity Project Reports
The use of many types of resources, from wireless networks to library catalogues, is often regulated through rules. These rules frequently make use of traits associated with the identity, be it human or machine, that is attempting to use the resource. The process of determining which privileges the possession of these traits should confer on the identity is called authorisation.
For authorisation to be useful, it is necessary to have confidence that the actor behind the claimed identity is permitted to use it. The process of proving ownership of a claimed identity is called authentication. This is typically implemented through the use of protocols that allow the actor to demonstrate that they are who they claim to be, usually through demonstrating the possession of a token (eg. a passport), or the knowledge of a secret (eg. a password), or the possession of a unique characteristic (eg. a fingerprint).
Authorisation and authentication often make significant demands of information and the way in which it is processed. For example, that it must remain confidential; or be disclosed only to appropriate parties; or be signed so as to ensure non-repudiation. These requirements typically arise through legal obligations (such as data protection law or a contractual agreement) or because the authentication and authorisation processes themselves.
The primary focus of the AAI programme is to establish infrastructure that supports the community's increasingly complex authentication and authorisation requirements, and the production of best practice and policy that guides and governs its use. More information on each programme area can be accessed from the links below:
The JANET(UK) AAI team are active participants in a number of international working groups and forums for the development of standards.