Digital identity glossary: Key terms, standards, and regulations

Digital identity is changing how businesses verify who they're dealing with, and with that shift has come a new vocabulary that can be hard to follow.

This glossary is a plain-language run-through of the terms you're most likely to encounter when reading about digital credentials, verified identity, and the frameworks governments and industry are building around them. We've grouped the entries into four sections:

• Core concepts: the building blocks of how digital identity works.
• Roles in the trust triangle: who does what when a credential is issued, held, and checked.
• Standards and formats: the technical specifications that credentials are built on.
• Regulations and trust frameworks: the laws and governance structures shaping how digital identity is accredited and used.

Core concepts

These are the ideas and terms at the heart of how digital identity works.

Digital identity: The electronic version of a person, organization, or thing used in online interactions. A digital identity is made up of details, like name, date of birth, address, and qualifications, that together describe who someone is in a given setting.

Digital credential: An electronic record that confirms something about a person or organization. That could be an identity attribute (age, nationality), a qualification (a university degree), or a permission (a professional license). A digital credential is issued by a trusted organization and shared electronically, rather than as a paper document or a scan.

Verified digital credential: A digital credential that can be checked cryptographically, meaning the organization receiving it can confirm who issued it and whether it has been changed since it was issued. Verified digital credentials remove the need for manual checks and can be validated instantly, without contacting the issuer. They are built on open standards, most notably the W3C Verifiable Credentials Data Model.

Learn more about verified digital credentials and how they work.

Identity attribute: A specific piece of information about a person, like their full name, date of birth, address, or nationality. A credential usually contains several attributes together, though some credentials are built around a single attribute, like proof of age.

Identity verification (vs. authentication): Two related but different things. Identity verification is the one-off check that confirms someone is who they say they are when they first set up their identity with an organization. Authentication is the ongoing check that confirms someone coming back to a service is the same person whose identity was originally verified.

Selective disclosure: The ability for someone to share only the specific information a verifier actually needs, rather than an entire credential or document. For example, proving that you're over 18 without revealing your full date of birth. Selective disclosure is one of the core privacy features of verifiable credentials.

Digital identity wallet: A secure application, usually on a mobile device, that holds digital credentials for the holder. Credentials sit on the person's own device rather than in a central database, and the holder chooses when and with whom to share them.

Learn more about digital identity wallets.

Decentralized identity: An approach where individuals hold and control their own credentials, rather than handing that job to a central organization. Credentials can be shown directly to a verifier, who confirms they're genuine using cryptography, without contacting the original issuer. This cuts down on how often personal data gets shared and removes the need for large central identity databases.

Learn more about decentralized identity in our explainer.

Trust triangle: A three-party model that describes how digital credentials are issued, held, and verified. The three roles are the issuer (the trusted organization that creates the credential), the holder (the person or organization the credential belongs to), and the verifier (whoever needs to confirm it). Each role connects to the other two, and together they form the foundation of how digital credentials work.

Interoperability: The ability for credentials issued by one organization to be accepted and checked by another, across systems, sectors, and borders. Interoperability is what makes a credential useful beyond where it was first issued, and it comes from shared technical standards, not one-off integrations between specific providers.

Roles in the trust triangle

Every digital credential passes through three parties before it's trusted in what’s known as the trust triangle. These are the three roles that make up the trust triangle.

Issuer: The organization that creates a digital credential and vouches for the information in it. Examples include government agencies issuing identity documents, universities issuing diplomas, and professional bodies issuing licenses. The issuer applies a digital signature so the credential's origin and integrity can be checked later.

Holder: The person or organization a credential belongs to, and who stores and shares it. In most models the holder keeps the credential on their own device and decides when to share it, and with whom. The holder can't change the credential themselves.

Verifier (or relying party): An organization that needs to confirm a credential before providing a service, completing a transaction, or meeting a regulatory requirement. A verifier checks the credential's digital signature to confirm it came from a trusted issuer and hasn't been changed. The term "relying party" is often used to mean the same thing, especially in regulations.

Learn more in our full trust triangle explainer.

Standards and formats

The open technical rules that make digital credentials work consistently across systems and providers. You don't need to know these in detail, but the names come up often in industry and legal documents.

Verifiable Credentials Data Model: An open standard from the World Wide Web Consortium (W3C) that sets out how verifiable credentials are structured, signed, and presented. It is flexible enough to support many types of credentials, from identity documents to academic records, and is one of the two main credential formats referenced in EU and industry specifications.

mdoc: A credential format set out in the international standard ISO/IEC 18013-5 for holding identity documents on a mobile device. An mdoc is cryptographically signed and can be shared over short-range connections like Bluetooth or NFC, or online for remote checks. The format was designed specifically for identity documents and is used in government-issued credential programs around the world.

mDL: A mobile driver's license. An mDL is a specific type of mdoc: a digitally issued version of a physical driver's license that can be stored in a digital identity wallet and shared electronically. Several US states, Australian states, and other jurisdictions now issue mDLs, and they are commonly used for age verification and identity checks at airports.

Selective disclosure credentials (SD-JWT VC): A credential format that builds on the widely used JSON Web Token (JWT) standard and adds support for selective disclosure, which lets a holder share only the specific information a verifier needs. SD-JWT VC is increasingly used in the EU digital identity ecosystem alongside the W3C and ISO formats, and is one of the formats referenced in eIDAS 2.0 implementing acts.

OpenID for Verifiable Credential Issuance (OID4VCI): A protocol that sets out how a credential issuer sends a digital credential to a holder's wallet. OID4VCI builds on the widely used OAuth 2.0 protocol, which makes it easier for developers to adopt, and can be used with any of the main credential formats. It is one of the main issuance protocols referenced in EU and industry specifications.

Public Key Infrastructure (PKI): The underlying cryptographic technology that allows digital signatures to be created and checked. PKI uses pairs of related keys, one private and one public, to confirm that a signed piece of data came from the holder of the private key and hasn't been changed. Most digital identity and trust services rely on PKI, including advanced and qualified electronic signatures under eIDAS.

Regulations and trust frameworks

The laws and rules that govern how digital identity is accredited and used. These vary by country but increasingly point in the same direction: accredited providers, credentials that work across borders, and people in control of their own data.

Digital Identity Services Trust Framework (DISTF): New Zealand's regulatory and governance framework for accredited digital identity services, set up under the Digital Identity Services Trust Framework Act 2023. DISTF sets the rules providers must meet to issue or accept verified digital credentials in NZ, and is overseen by an independent Trust Framework Authority.

eIDAS 2.0: Regulation (EU) 2024/1183, which updates the European Union's framework for digital identity, electronic signatures, and trust services. Its biggest change is the introduction of the European Digital Identity Wallet, which every EU member state must make available to its citizens. eIDAS 2.0 also defines the three tiers of electronic signature (SES, AES, and QES) and sets the rules for the trust service providers that support them.

Learn more about eIDAS 2.0.

Simple Electronic Signature (SES): The most basic form of electronic signature under eIDAS. SES covers things like typing a name at the end of a document, clicking an "I agree" button, or inserting an image of a signature. SES signatures are widely accepted for everyday business agreements where stronger identity checks aren't needed.

Advanced Electronic Signature (AES): An electronic signature that gives stronger identity assurance than SES. Under eIDAS, an AES must be uniquely linked to the signer, capable of identifying them, created using data the signer controls, and able to detect any changes made to the document after signing. AES is commonly used for business contracts that need a clearer link between signer and signature.

Qualified Electronic Signature (QES): The highest level of electronic signature defined under eIDAS, and the only type that is legally equivalent to a handwritten signature across all EU member states. A QES must be created using a qualified certificate issued by a qualified trust service provider, and applied using a certified secure device. Under eIDAS 2.0, the European Digital Identity Wallet is expected to make QES easier to get.

NIST SP 800-63: The US National Institute of Standards and Technology's Digital Identity Guidelines, a widely referenced set of technical requirements for identity proofing, authentication, and federation. Although the guidelines are written for US federal agencies, they're influential globally and get referenced in many other countries' digital identity frameworks.

Trust service provider: An organization approved to provide identity and trust-related services, like issuing certificates, validating signatures, or managing digital identities. Under eIDAS 2.0 in the EU, a "qualified trust service provider" (QTSP) is one that meets the regulation's higher standards and is allowed to support Qualified Electronic Signatures.

Trust registry: A list, kept by an accreditation body, of the issuers and verifiers approved to operate within a specific digital trust framework. Trust registries give organizations a reliable way to check whether a credential comes from an accredited source, and they are a practical way to enforce governance rules across a wider ecosystem.