Identity and Identifier should be defined terminology

[mmccool]

Due to confusion between "identity" and "identifier", these should be given formal definitions in the Terminology section. See discussion here: w3c/wot-security#192

Essentially, an identity is associated with one or more identifiers. Identity is fixed, but identifiers can come and go...

Oliver Pfaff brought this up, he may be able to provide some suitable definitions.

[OliverPfaff]

Should be possible to assign me now...

[OliverPfaff]

The suggestion is to adopt applicable RFC 4949 terms (quoted below):

$ identity
(I) The collective aspect of a set of attribute values (i.e., a
set of characteristics) by which a system user or other system
entity is recognizable or known. (See: authenticate, registration.
Compare: identifier.)

$ identifier
(I) A data object -- often, a printable, non-blank character
string -- that definitively represents a specific identity of a
system entity, distinguishing that identity from all others.
(Compare: identity.)

plus:

$ identification
(I) An act or process that presents an identifier to a system so
that the system can recognize a system entity and distinguish it
from other entities. (See: authentication.)

$ authentication
(I) The process of verifying a claim that a system entity or
system resource has a certain attribute value.
---some text snipped---
An authentication process consists of two basic steps:
- Identification step: Presenting the claimed attribute value
(e.g., a user identifier) to the authentication subsystem.
- Verification step: Presenting or generating authentication
information (e.g., a value signed with a private key) that acts
as evidence to prove the binding between the attribute and that
for which it is claimed. (See: verification.)

[mlagally]

(Issue was closed by accident)

@OliverPfaff
We should not include terminology that's defined elsewhere by just copying the text.
We could add a reference to the corresponding section of another document from a different SDO, but there's a risk that the referenced text is updated in an incompatible way.
In the case of an IETF RFC the situation is a bit different, since these are not likely to be changed in an incompatible way.

In general I would prefer if we have a self contained set of definitions in the terminology section - We can add a note to point out that we use the same terminology as the other SDO.

The definition of "authentication" references "Verification", which imho should also be defined in the terminology section.

[mlagally]

Architecture call on Dec. 10th:
Agreed to include a reference or a brief definition that's in line with RFC-4949.
@OliverPfaff - Could you please create a PR?

[mlagally]

Consider also referencing terminology from Distributed identifiers WG note: https://www.w3.org/TR/did-core/#terminology, possibly also ISO (See References in Security)