generated from coulomb/repo-seed
tegwick
08361f6fb7
Add commercial-identity-nuance-settlement.md resolving control_basis, binding_trigger, cross-registry Synonymity strengths, OPI branch modeling, escrow commitment type, reputation portability, payment edge cases, CRM renewal rules, Person Account adapters, and eIDAS wallet scope. Update canon, OpenQuestions, and all commercial-identity source notes.
16 KiB
16 KiB
Terminology Inventory
Status: draft. Updated after IDENTITY-WP-0003 corpus backfill. Mappings remain
candidate until reviewed against canon/CanonicalGlossary.md and scenario
tests.
Use
Use this file to collect source terms and their current candidate canonical
home. Use terminology/TerminologyConflictMap.md when a term is overloaded or
has incompatible meanings across source families.
Inventory
| Term | Candidate canonical concept | Source families | Notes |
|---|---|---|---|
| actor | Actor | ActivityPub, FOAF, Cedar, proposal | Participation root. ActivityPub actor is server-hosted; FOAF Agent includes persons. |
| natural person | Natural Person | FOAF, Schema.org, NIST, GDPR | Human being; FOAF Person and Schema.org Person align strongly. |
| user | Convenience label only | SCIM, LDAP, Keycloak, ZITADEL, apps | Overloaded. Map by context: SCIM/LDAP User → Identity Record; Keycloak/ZITADEL User → Account. |
| account | Account | SCIM, LDAP posixAccount, FOAF OnlineAccount, Keycloak | Operational access record in a scope. FOAF separates account from person explicitly. |
| identity | Identity Record or Claim | Kratos, OIDC, DID, VC, apps | Kratos Identity = traits + credentials. Avoid bare identity as root noun. |
| identifier | Identifier | OIDC sub, SAML NameID, LDAP DN, DID, WebID | Value referring within or across scopes. See Scoped Identifier when correlation is limited. |
| scoped identifier | Scoped Identifier | OIDC pairwise, SAML transient, pseudonyms | Meaning limited to RP, sector, tenant, or session. |
| credential | Credential | NIST, Kratos, OIDC token, VC, DID keys | Proof material. Distinguish VC (claim container) from password/WebAuthn. |
| subject | Authenticated Subject | OIDC, SAML, SSF events | Protocol/security view after issuer identification. Not Actor or Principal. |
| principal | Authorization Principal | Cedar, Cerbos, Zanzibar, OpenFGA | Decision-engine participant. OpenFGA user: prefix is not a human user. |
| end-user | Natural Person (inferred) | OIDC | OIDC names the human implicitly; does not model as entity. |
| profile | Profile | FOAF, WebID/Solid, SCIM attrs, ActivityPub | Presentation or attribute surface. Solid profile is user-controlled data. |
| persona | Persona | proposal, privacy patterns | Contextual presentation; pairwise/pseudonymous profiles map here. |
| agent | Actor or Artificial Agent | FOAF, ActivityPub, WebID | FOAF Agent includes humans; ActivityPub Service = Artificial Agent. |
| bot | Artificial Agent | ActivityPub Service, apps | Automated actor; may use Service Account. |
| service account | Service Account | Keycloak, ZITADEL machine user, Kratos | Non-human login or API identity. ZITADEL machine user, Kratos service patterns. |
| machine user | Service Account | ZITADEL | Product term for non-human org identity. |
| organization | Organization | Schema.org, Keycloak Orgs, ZITADEL, SCIM ext | Collective actor. SCIM organization attribute is not an Organization actor. |
| legal entity | Legal Entity | business, compliance | Organization recognized under law; separate from tenant. |
| customer | Customer (relationship role) | SaaS, vendor models | B2B subscriber org → Organization + Customer role + Tenant. Not Stripe Customer. |
| vendor | Vendor (relationship role) | SaaS, multi-vendor | Provider role; not realm or tenant. |
| subscriber | Organization + Customer role | Auth0 B2B SaaS | Convenience label only; not canonical. |
| stripe customer | Commercial Record | Stripe, billing | Billing object; link to Tenant via metadata. Not Account. |
| payment method / pm_xxx | Payment Instrument Reference | Stripe, Adyen | Tokenized provider reference; not Credential; not CHD in canon. |
| payment mandate / setup intent | Payment Mandate (Commercial Commitment) | Stripe, SEPA | Authorization to charge; commitment_type payment_mandate. |
| pan / cvv / chd | Out of canon | PCI DSS | Downstream PCI vault only. |
| opportunity (crm) | Pipeline Pursuit | Salesforce, HubSpot | In-flight deal; not Commercial Commitment until binding trigger. |
| forecast commit (salesforce) | Pipeline Pursuit metadata | Salesforce | Sales forecast category; not Commercial Commitment. |
| closed won | Pipeline Pursuit lifecycle + optional commitment | CRM | Won stage alone does not auto-create active commitment. |
| quote accepted / loi signed | Commercial Commitment (proposed) | CPQ, sales | Binding trigger with document evidence. |
| crm account | Commercial Record | Salesforce, CRM | Commercial record; not login Account. |
| customer account | Resolve by layer | billing, IAM, CRM | Not canonical — see TerminologyConflictMap. |
| commercial record | Commercial Record | Stripe, CRM, billing | Record layer; payment/subscription/commerce state. |
| commercial relationship | Commercial Relationship | vendor/customer SaaS | Vendor-to-customer typed relationship. |
| commercial commitment | Commercial Commitment | contracts, subscriptions, KYC | Binding obligation raising identity stakes. |
| beneficial owner | Beneficial Owner + Beneficial Ownership Relationship | KYC/AML, FinCEN CDD, FATF R24 | Natural person behind legal entity customer; dedicated relationship type with ownership/control prongs. |
| beneficial ownership | Beneficial Ownership Relationship | FinCEN CDD, BOI, Open Ownership | Regulated Natural Person → Organization/Legal Entity linkage; not Ownership subtype. |
| lei | Registry Identifier (regulatory_global) | GLEIF, ISO 17442, ICD 0199 | Legal entity identifier with annual renewal. |
| duns | Proxy Commercial Identifier | D&B, ICD 0060 | Commercial-proxy registry identifier. |
| uei | Registry Identifier (government_registry) | SAM.gov | US federal entity identifier. |
| company registration number | Registry Identifier (government_registry) | national registers, ALEI | Authoritative incorporating-register identifier. |
| alei / ibrn | Registry Identifier (government_registry) | ISO 8000-116 | Authoritative legal entity identifier from government register. |
| iso 6523 / icd | Registry Identifier scheme | ISO/IEC 6523, PEPPOL | ICD + organization identifier encoding. |
| legal person | Legal Person | eIDAS, civil law, agency | Natural or juridical person under law. |
| paydex | Performance Evidence | D&B | Observed-tier payment performance metric. |
| reputation | Resolve by assurance tier | marketplaces, credit | Not canonical — see Counterparty Assurance Gradient. |
| star rating / review | Reputation Signal | Yelp, Amazon, App Store | Opinion-tier Evidence Source; weak, gamable. |
| feedback score | Reputation Signal | eBay, Uber | Platform-local opinion tier. |
| credit score | Performance Evidence | bureaus, D&B | Observed-tier counterparty metric. |
| performance bond / surety | Commercial Commitment | construction, procurement | Committed-tier financial assurance. |
| escrow | Commercial Commitment | marketplaces, Stripe | Committed-tier funds segregation. |
| arbitration award | Adjudication Outcome | AAA, ICC, JAMS | Adjudicated-tier dispute result. |
| court judgment | Adjudication Outcome | courts | Adjudicated-tier enforcement outcome. |
| assurance gradient | Counterparty Assurance Gradient | commercial identity | Four-tier reliance model (opinion → adjudicated). |
| control_basis | Beneficial Ownership Relationship metadata | FinCEN CDD, EU AMLD | Settled role enum (chief_executive, managing_member, …). |
| binding_trigger | Pipeline Pursuit promotion | CRM adapters | Settled enum (quote_accepted, contract_executed, …). |
| fincen id | Registry Identifier (government_registry) | BOI | Natural person government registry ID. |
| person account | Natural Person + Commercial Record | Salesforce B2C | Adapter projection_mode person_account_combined only. |
| ncage / cage | Registry Identifier (industry_association) | defense procurement | Industry association authority class. |
| network token | Payment Instrument Reference | Visa VTS, MDES | instrument_type network_token. |
| escrow (platform) | Commercial Commitment (escrow) | marketplaces | Committed tier when funds segregated. |
| kyc / cip | Evidence Source + Assurance | FinCEN, FATF | Regulated commercial identity onboarding. |
| crm account | Commercial Record | Salesforce | Company/household commercial record. |
| fluid identity | Persona / weak binding | theory | Low commercial stake; intentional mutability. |
| bound identity | Commercial Commitment present | theory | High counterparty reliance; stable identifiers. |
| tenant | Tenant | ZITADEL org, SaaS, Keycloak (informal) | Administrative/isolation scope. Keycloak realm sometimes called tenant. |
| realm | Realm | Keycloak | Hard identity/admin namespace. Candidate Scope specialization. |
| scope | Scope | OIDC, Cerbos, OpenFGA store, proposal | Boundary for meaning, policy, or correlation. |
| namespace | Scope | LDAP dc, Keto/OpenFGA, DID method | Naming or authorization partition. |
| instance | Scope | ZITADEL | Deployment-level boundary above organizations. |
| project | Application Scope | ZITADEL | Application/product container within org. |
| community | Community | ActivityPub Group, proposal | Participation-oriented collective. ActivityPub Group may be Community or Group. |
| family | Family or Household | proposal, GDPR-sensitive | Guardian/dependent semantics; privacy-sensitive. |
| household | Family or Household | family accounts | Co-residence unit; may differ from legal family. |
| group | Group | LDAP, SCIM, FOAF, ActivityPub, Cedar | Named collection. LDAP/SCIM group ≠ social community without context. |
| team | Group or Organization Unit | Schema.org, collaboration | Collaboration unit; may be org sub-unit. |
| role | Role | Keycloak, ZITADEL, Cedar, Cerbos, Schema.org OrganizationRole | Capability bundle or relationship label. Cerbos derived role may hide Ownership. |
| grant | Role assignment | ZITADEL | Project role assignment; map to Delegation-like relationship. |
| member | Membership Relationship | SCIM, LDAP, FOAF, Schema.org, Zanzibar | Relationship edge, not a noun for the participant. |
| affiliation | Affiliation Relationship | Schema.org, FOAF knows | Looser than membership. FOAF knows is weak social affiliation. |
| follower | Following Relationship | ActivityPub | Directed social subscription; not membership or authz. |
| follow | Following Relationship | ActivityPub | Activity establishing follower edge. |
| owner | Ownership Relationship | Zanzibar, Cerbos derived | Control/responsibility. Cerbos may encode as attribute not relationship. |
| administrator | Administration Relationship | IAM, ZITADEL grants | Delegated management in scope. |
| delegation | Delegation Relationship | Cedar context, agents | Bounded authority grant. Cedar context may carry delegatedBy. |
| representation | Representation Relationship | SCIM manager, DID controller | Acting on behalf of another. DID controller may differ from subject. |
| trust | Trust Relationship | federation, VC, DID | Reliance on issuer/verifier; federation metadata trust. |
| claim | Claim | OIDC, SAML attributes, VC | Statement by issuer. SAML AttributeStatement → Claim. |
| evidence | Evidence Source | NIST proofing, entity resolution, SSF | Supports claims and synonymity. SSF SET = event Evidence Source. |
| assurance | Assurance Level | NIST IAL/AAL/FAL | Orthogonal identity, authentication, federation confidence. |
| identifier binding | Identifier Binding | OIDC iss+sub, WebID-OIDC, SAML | Assertion that identifier refers to target in scope. |
| synonymity | Synonymity Assertion | entity resolution, OIDC linking, schema.org sameAs | Scoped evidenced equivalence. sameAs is weak by default. |
| weak match | Weak Synonymity Assertion | probabilistic matching | Probabilistic link; never destructive merge. |
| strong link | Strong Synonymity Assertion | deterministic match, verified linking | Authoritative or verified; still scoped. |
| same_as | Synonymity Assertion (strong) | synonymity model | High-confidence equivalence relation type. |
| probably_same_as | Synonymity Assertion (weak) | probabilistic matching | Probabilistic equivalence relation type. |
| linked_to | Synonymity Assertion (operational) | account linking | Convenience link without semantic sameness claim. |
| pseudonym | Pseudonymous Identifier | GDPR, OIDC pairwise | Limits cross-scope correlation. |
| pairwise subject | Scoped Identifier | OIDC | RP-specific sub preventing global correlation. |
| relationship tuple | Relationship Tuple | Zanzibar, OpenFGA, Keto | Authz projection: subject#relation@object. |
| policy | Authorization Projection | Cedar, Cerbos | Rule artifact; downstream of canon model. |
| lifecycle state | Lifecycle State | SCIM active, SSF/RISC events, VC status | Applies to records, credentials, relationships, assertions. |
| subscriber | Account / Identity Record | NIST | Enrolled party at CSP; not synonymous with Natural Person until IAL binding. |
| issuer | Scope + Trust Relationship | OIDC iss, VC issuer, SAML IdP | Namespace authority for identifiers and claims. |
| relying party | Scope | OIDC RP, SAML SP, NIST | Consumer of assertions; RP-local account binding. |
| nameid | Identifier | SAML | Format attribute determines persistence and privacy semantics. |
| distinguished name | Identifier | LDAP | Compound locator in directory namespace. |
| externalid | Identifier | SCIM | Client-supplied cross-system correlation key. |
| traits | Profile attributes | Kratos | Schema-validated identity attributes. |
| verification method | Credential | DID Core | Cryptographic key in DID document. |
| verifiable credential | Credential + Claim | VC Data Model | Signed claim set; distinct from login credential. |
| holder | Actor (custody role) | VC, OpenID4VC | Party possessing VC; may differ from subject. |
| verifier | Scope (evaluation role) | VC, OpenID4VC | Validates presentations. |
| did | Identifier | DID Core | Decentralized identifier with method-specific resolution. |
| webid | Identifier | WebID/Solid | HTTP URI identifying agent with dereferenceable profile. |
| data subject | Natural Person | GDPR | Identifiable natural person for privacy regulation. |
| pseudonymization | Processing pattern | GDPR | Technique; maps to Scoped Identifier + separated re-id key. |
| controller | Organization (legal role) | GDPR | Downstream legal role; not canonical identity root. |
| tuple (authz) | Relationship Tuple | Zanzibar | Authorization fact, not social relationship. |
| userset | Authorization Principal (indirect) | Zanzibar, OpenFGA | Subject referenced via relation chain. |
| derived role | Role (computed) | Cerbos | Role from attributes; should trace to Relationship when possible. |
| contextual tuple | Delegation context | OpenFGA | Ephemeral authz fact at check time. |
| sameas | Weak Synonymity Assertion | Schema.org | Informal web equivalence; not strong link without evidence. |
| organizationrole | Role + Membership | Schema.org | Temporal role with start/end dates. |
| assurance level change | Assurance Level update | SSF/CAEP | Event affecting IAL/AAL/FAL metadata. |
Source Note Citations
Terms above are grounded in backfilled notes under:
research/identity-provisioning/(5 notes)research/authentication-federation/(4 notes)research/authorization-relationships/(4 notes)research/social-community-graphs/(4 notes)research/verifiable-claims/(3 notes)research/entity-resolution-privacy/(3 notes)research/commercial-subscription/(2 notes)research/commercial-identity/(8 notes)
Remaining Backfill Needs
- Split
groupinto authorization group vs. social collective where sources disagree (OpenFGA member vs. ActivityPub follower). - Add product-version qualifiers when Keycloak/ZITADEL models evolve.
- Promote stable mappings to
canon/CanonicalGlossary.mdafter scenario review.