Glossary
This page provides definitions for key terms and abbreviations used throughout this technical documentation.
Terms and Definitions
Section titled “Terms and Definitions”For the purpose of this document, the following terms and definitions apply.
Active Authentication (AA) A challenge–response protocol performed with the passport’s NFC chip to prove possession of the original document. The chip signs a random challenge with its private key; the reader verifies the signature using the public key stored in the chip’s data groups.
Asymmetric cryptography Encryption/decryption operations performed using a key pair: a private key used by the issuer to sign data and a public key used to verify the signature. The two keys have an “asymmetric” role, hence the term.
Audit trail An immutable, append-only log of security-relevant events (enrollment, authentication, revocation, consent decisions, administrative actions). In IDToken the audit trail is stored in a PostgreSQL table with INSERT-only rules — UPDATE and DELETE are blocked.
Authentication session A short-lived (60-second TTL) server-side record representing an in-progress X.1280 authentication. It binds a sessionId, tokenId, OTP, and requested scopes together and is deleted after the first verification attempt resolves.
BioSeal Issuance Service A hardware-secured service operated by id3 Technologies that generates Visible Digital Seal (VDS) credentials from passport data. Issuance stations never call BioSeal directly — requests are proxied through the IDToken Auth Server, which verifies the passport chip’s cryptographic proof first.
Certificate Electronic file attesting that a cryptographic key pair belongs to a person or a hardware or software component as identified in the certificate. A certificate is issued by a Certificate Authority. By signing the certificate, the Certificate Authority approves the link between the identity and the cryptographic key pair.
Certificate Authority (CA) Service offered by a Trust Service Provider to create, issue, and produce certificates on behalf of users, and ensure the integrity of the electronic identification of signers.
Certificate Revocation List (CRL) List of certificates that have been revoked by the issuing Certificate Authority before their scheduled expiration date and should no longer be trusted.
Claim
A single piece of identity information (e.g., givenName, age_over_18) extracted from a VDS credential and included in a JWT or OIDC token when the corresponding scope is granted.
Derived claim
A claim computed from VDS raw data rather than copied directly. For example, age_over_18 is derived from dateOfBirth at verification time, allowing age-gated services without revealing the exact birth date.
Digital Seal Data set signed in digital form that is logically attached or associated with other data in digital form to ensure the origin and integrity of the data.
ECDSA (Elliptic Curve Digital Signature Algorithm) The signature algorithm used throughout the IDToken ecosystem. VDS credentials, mobile device keys, JWT signing keys, and server response verification all use ECDSA with the P-256 curve.
eIDAS (electronic Identification, Authentication and trust Services) EU regulation establishing a legal framework for electronic identification and trust services. IDToken trust levels map to eIDAS assurance levels (Low, Substantial, High).
Electronically Signed Encoded Data Set (ESEDS) A structured data set, often in the form of an MRC, containing a payload and its signature from the issuer. A header identifies the type of payload and the issuer. An optional auxiliary data block may be added after the signature.
Enrollment The one-time process of binding a VDS credential to a mobile app’s ECDSA key pair. During enrollment, the passport is read via NFC, a face match confirms the holder’s identity, the VDS is generated by BioSeal, and the mobile app registers its public key with the auth server.
FCM (Firebase Cloud Messaging) Google’s push notification service used by IDToken to deliver authentication requests to the mobile app. Push notifications carry the sessionId, OTP, tokenId, and service identity as silent data messages — never displayed as system notifications.
Governance Board The top-level authority responsible for the overall governance, standardization, security, and trustworthiness of the global VDS ecosystem. It defines global policies, manages the Root List of Trusted Lists (Root LoTL), accredits Scheme Operators, and ensures global interoperability. In the context of this specification, the Governance Board is the VDS International Council (VDSIC).
Hardware Security Module (HSM) A physical computing device that safeguards and manages cryptographic keys, performs encryption and decryption functions, and provides tamper-evident and tamper-resistant protection. HSMs used in VDS signing and trust list signing must be certified to FIPS 140-2/140-3 Level 3 or Common Criteria EAL4+.
HKDF (HMAC-based Key Derivation Function) A key derivation function used by IDToken to derive session-scoped OTP keys from a master secret. The derivation binds the key to a specific tokenId and sessionId, preventing cross-session reuse.
HMAC (Hash-based Message Authentication Code) A mechanism for computing a message authentication code using a cryptographic hash function combined with a secret key. IDToken uses HMAC-SHA256 for OTP generation, WebSocket token authentication, and response verification (X.1280 anti-forgery).
ICAO (International Civil Aviation Organization) The UN specialized agency that defines the standards for machine-readable travel documents (MRTDs), including passport chip data structures, the Security Object Document (SOD), and Active Authentication.
Identity Provider (IdP) A system that creates, maintains, and manages identity information and provides authentication services. IDToken acts as both an OIDC Provider and a SAML 2.0 IdP, translating passwordless authentication into standard federation tokens.
JSON Web Key Set (JWKS)
A JSON data structure representing a set of public keys used to verify JWTs. IDToken exposes its JWKS at /.well-known/jwks.json, allowing relying parties to verify tokens without sharing secrets.
JSON Web Token (JWT) A compact, URL-safe token format (RFC 7519) used by IDToken to convey verified identity claims to relying parties. IDToken JWTs are signed with ES256 (ECDSA P-256) and contain scope-filtered claims from the VDS credential.
Manifest
External resource containing information in XML format about the VDS use case, its data schema, validation policies, and optional extensions. The IDToken manifest (ID: 0A0001) defines the payload schema for identity credentials.
MessagePack A binary data serialization format designed for efficiency and compactness. It is the default encoding format for the VDS Payload and Auxiliary Data sections, offering a size-efficient alternative to text-based formats like JSON or XML.
Mutual authentication A security property of the X.1280 protocol where both parties verify each other: the user verifies the service by matching the displayed OTP, and the service verifies the user through the mobile app’s ECDSA signature and biometric confirmation.
OTP (One-Time Password) A 6-digit code generated by the IDToken server for each authentication session. The OTP is derived using HKDF-SHA256 from the master secret, tokenId, and sessionId. It is displayed by the service and sent via push notification to the mobile app — the user confirms identity by matching the two codes.
Out-of-band authentication An authentication method where verification occurs over a separate communication channel from the primary session. In IDToken, the browser session and the mobile push notification constitute two independent channels, preventing real-time phishing.
Passive Authentication (PA) Verification of the passport chip’s Security Object Document (SOD) digital signature chain back to the ICAO Certificate Authority, proving that the chip’s data has not been tampered with since issuance.
PKI (Public Key Infrastructure) The framework of policies, hardware, software, and procedures for creating, managing, distributing, using, storing, and revoking digital certificates. IDToken relies on the VDS PKI chain (VDSIC → Scheme Operator → TSL → CA → signing certificate) for credential verification.
Relying Party (RP) An application or service that relies on IDToken for user authentication. Relying parties receive JWTs (or OIDC/SAML tokens) containing verified identity claims and can request specific scopes to limit data exposure.
Root List of Trusted Lists (Root LoTL) The top-level trust anchor published by VDSIC that references all authorized Scheme Operators’ Lists of Trusted Lists. The Root LoTL conforms to ETSI TS 119 612 with VDSIC-defined extensions and is digitally signed using XAdES-T or CAdES-T format.
Scheme List of Trusted Lists (Scheme LoTL) A Scheme Operator’s List of Trusted Lists that points to Trust Service Lists (TSLs) for VDS Issuers within the scheme.
Scheme Operator An entity responsible for managing and operating a specific trusted VDS scheme or domain within the overall VDS ecosystem. Operating under the authority of the Governance Board (VDSIC), it maintains a Scheme LoTL, defines scheme-specific policies and manifest usage, and oversees compliance. Often synonymous with Trust Service Operator (TSO). In the IDToken context, Otentik is the Scheme Operator (IAC: “VDS”).
Scope
A permission string (e.g., identity:name, identity:age_over_18, identity:photo) that controls which identity claims are included in the authentication response. Scopes are registered per service, requested during auth initiation, and may be further restricted by user consent.
Selective disclosure
The ability for users to share only the specific identity claims a service needs. A service requesting identity:age_over_18 receives a boolean — not the user’s full name, nationality, or document number.
Service VDS A Visible Digital Seal issued to a relying party (service), used for mutual authentication. When a service presents its VDS during auth initiation, the IDToken server cryptographically verifies the service’s identity — eliminating the need for pre-registered service IDs and enabling mutual identity assurance.
Trust level A numeric grade (1–3) assigned to a VDS credential based on its issuance method: Level 1 (self-issued, low assurance), Level 2 (operator-verified with NFC, substantial / eIDAS), Level 3 (full NFC + Active Auth + biometric match, high / eIDAS). Trust levels are included as JWT claims and can be used by relying parties to gate access.
Trust Service List (TSL) A trusted-service list compliant with ETSI TS 119 612, containing information about the TSO, the TSPs, and the CA authorized to issue certificates to sign a VDS. TSLs are extensible using XML extensions defined by the TSO.
Trust Service Operator (TSO) Entity that defines the governance structure and technical requirements of the trust service, and oversees the overall operations.
Trust Service Provider (TSP) Entity tasked with defining the CA trust framework and governance structure, offering certificate service(s), operating the CA and ensuring compliance with said governance.
VDS Revocation List (VRL) A list of revoked VDS fingerprints (SHA-256 of raw bytes) published via the Trust Service List. IDToken checks VDS credentials against the VRL to detect credentials revoked at the PKI level.
VDS Service Provider An entity authorized within a specific VDS scheme to create, digitally sign, and manage Visible Digital Seal instances according to the rules, schemas (Manifests), and policies defined by the relevant Scheme Operator.
Visible Digital Seal (VDS) A compact, cryptographically signed credential defined by ISO 22376. In IDToken, the VDS is derived from a government-issued passport and serves as the user’s digital identity — carrying biographical data, a biometric photo, and a trust chain traceable to the VDSIC Governance Board.
WebSocket A persistent, full-duplex communication channel used by IDToken to deliver real-time session updates (OTP ready, approved, rejected, timeout) from the auth server to the browser. WebSocket connections are authenticated using an HMAC-SHA256 token.
X.1280 ITU-T Recommendation X.1280 — a mutual out-of-band authentication protocol where the service presents an OTP to the user, who confirms it on a separate device. IDToken implements X.1280 with VDS-based identity and biometric confirmation.
Abbreviated Terms
Section titled “Abbreviated Terms”For the purpose of this document, the following abbreviations apply.
| Abbreviation | Definition |
|---|---|
| AA | Active Authentication |
| CA | Certificate Authority |
| CRL | Certificate Revocation List |
| CORS | Cross-Origin Resource Sharing |
| CSP | Content Security Policy |
| ECDSA | Elliptic Curve Digital Signature Algorithm |
| eIDAS | electronic Identification, Authentication and trust Services |
| ESEDS | Electronically Signed Encoded Data Set |
| FCM | Firebase Cloud Messaging |
| FIPS | Federal Information Processing Standards |
| HKDF | HMAC-based Key Derivation Function |
| HMAC | Hash-based Message Authentication Code |
| HSM | Hardware Security Module |
| HSTS | HTTP Strict Transport Security |
| IAC | Issuing Agency Code |
| ICAO | International Civil Aviation Organization |
| IdP | Identity Provider |
| ISO | International Organization for Standardization |
| ITU-T | International Telecommunication Union — Telecommunication Standardization Sector |
| JWT | JSON Web Token |
| JWKS | JSON Web Key Set |
| LoTL | List of Trusted Lists |
| MRC | Machine-Readable Code |
| MRZ | Machine-Readable Zone |
| NFC | Near Field Communication |
| OIDC | OpenID Connect |
| OTP | One-Time Password |
| PA | Passive Authentication |
| PKI | Public Key Infrastructure |
| RP | Relying Party |
| SAML | Security Assertion Markup Language |
| SHA | Secure Hash Algorithm |
| SLO | Single Logout |
| SOD | Security Object Document |
| SSO | Single Sign-On |
| TLS | Transport Layer Security |
| TSL | Trust Service List |
| TSO | Trust Service Operator |
| TSP | Trust Service Provider |
| TTL | Time To Live |
| UUID | Universally Unique Identifier |
| VDS | Visible Digital Seal |
| VDSIC | VDS International Council |
| VRL | VDS Revocation List |
| WS | WebSocket |
| WSS | WebSocket Secure |