An identifier is a function that maps a real-world subject into a name or character string, so that distinct subjects have distinct strings. A real-world subject may be a person, an object (eg a printer or a file), a group, or a department. A real world subject can have multiple identifiers. For example, a person may have several identifiers: Social Security Number, email address, userids on several systems, a network ID, etc.

Identifiers have always been a part of the campus IT environment, but their use was relatively narrow and limited. As the number of computing and networked resources proliferate, so too do identifiers. With the growing consequence of these resources, the issues of rights and responsibilities associated with each identifier become critical, as does the relationships among them.

The key issues are:

a.) Assigning identifiers - How are they formed? Who hands them out? How long are they good for? Can they be reused? What resources are they valid for?

b.) Relating identifiers - Are some dependent on others? Can an effective mapping be made among a real-world subject's set of identifiers?

Current Environment

The current situation at most universities is that individuals have many disjoint identifiers and objects have few or no identifiers. Further, the scope and policies associated with identifiers tend to be poorly defined. Typically, a user will have an email address, a unix login or userid, a LAN account name, a social security type number, and perhaps additional identifiers for administrative systems, modem pools, etc. The rights and responsibilities of each identifier are usually not explicit. Further, when presented with one identifier for a subject, it may not be readily possible to obtain another identifier (for another context) if needed.

Identity today is primarily a campus-based issue. When campuses seek to interoperate, issues will arise on the type of identifier that needs to be exchanged, and the forms and policies for that identifier. Moreover, to the degree that identifiers enable users to access other forms of electronic credentials, there may need to be agreements and consistency between campuses about the policies associated with classes of identifiers.


Next steps

Given the importance and proliferation of identifiers, a campus should do an inventory of existing identifiers and examine the technologies and policies associated with them. A set of questions (Appendix 1) may serve as an aid.

Another useful step to clarifier the issues around electronic identifiers. This includes hosts, printers, etc.



Much of the deep thought and good work about identifiers in higher ed has been done by Stanford over the last few years. These references are particularly useful

A good description about object identifiers is Cliff Lynch's article on digital objects at



Appendix 1: An Inventory of Campus Identifiers

What are the primary identifiers used in electronic environments on campus? What are their primary uses?

Eg userid, social security number, netware login, email address.

For each of the primary identifiers, consider the following:

A. Scope of each identifier


Who issues the identifier?


What populations are able to get an ID?


What are the sets of resources that the identifier is used for?


Do you assign IDs to things other than people, such as objects and groups?


Do you have a policy of "one person, one ID"? If so, how do you ensure this?


B. Operational issues


Are IDs ever reassigned?


What identifiers are the keywords for directory accesses?


Are IDs chosen by users or auto-generated?


What proof does a real-world subject need to establish an ID?


Can users change IDs? Under what circumstances?


C. Interrelationships among identifiers


Do you have policy about use of the central ID/authn system by


applications, eg, central admin systems must use these IDs?


Do you have a policy restricting the use of central ID/authn system by departmental or personal servers?


Do you sync IDs among several authentication systems?


(eg Kerberos, NT, Netware)


Do all students/employees get an ID as part of entering the




What identifiers can be used to acquire other identifiers?