Sources and References
This page lists the sources referenced throughout this website. All definitions and non-trivial claims are mapped to authoritative sources.
Numbered References
-
PCI Security Standards Council - Tokenization Product Security Guidelines
PCI Security Standards Council guidelines for evaluating tokenization products.
https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_Guidelines.pdf -
NIST - Data Security and Tokenization
National Institute of Standards and Technology publications on data protection and tokenization approaches.
https://csrc.nist.gov/publications -
GDPR - General Data Protection Regulation
Regulation (EU) 2016/679 of the European Parliament. Articles 4(5) on pseudonymization, Article 5 on data processing principles.
https://eur-lex.europa.eu/eli/reg/2016/679/oj -
OSIA - Open Standards Identity APIs
Secure Identity Alliance - OSIA specifications for identity management systems, including UIN concepts and sectoral identifiers.
https://osia.readthedocs.io/ -
Kantara Initiative - Consent Receipt Specification
Kantara Initiative specification for machine-readable consent receipts.
https://kantarainitiative.org/confluence/display/infosharing/Consent+Receipt+Specification -
Nature - Re-identification Risks in Anonymized Data
Research on re-identification attacks using machine learning on supposedly anonymous datasets.
https://www.nature.com/articles/s41467-019-10933-3 -
FTC - Data Brokers: A Call for Transparency and Accountability
Federal Trade Commission report on data broker practices and privacy implications.
https://www.ftc.gov/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014 -
IETF - SD-JWT (Selective Disclosure for JWTs)
Internet Engineering Task Force draft specification for selective disclosure in JSON Web Tokens.
https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ -
UIN Generator App
Reference implementation demonstrating OSIA UIN generation concepts, developed in collaboration with the OSIA working group on UIN and Tokenization.
https://uin-generator.app -
PCI DSS v4.0 - Tokenization Scope Reduction
Payment Card Industry Data Security Standard guidance on scope reduction through tokenization.
https://www.pcisecuritystandards.org/document_library/ -
Article 29 Working Party - Opinion on Anonymization Techniques
WP29 Opinion 05/2014 on Anonymization Techniques, distinguishing pseudonymization from anonymization.
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf -
HL7 FHIR - Patient Privacy and Consent
HL7 Fast Healthcare Interoperability Resources specifications for consent and privacy in healthcare.
https://www.hl7.org/fhir/consent.html -
FATF - Digital Identity Guidance
Financial Action Task Force guidance on digital identity for customer due diligence (March 2020).
https://www.fatf-gafi.org/en/publications/Financialinclusionandnpoissues/Digital-identity-guidance.html -
W3C - Verifiable Credentials Data Model
W3C Recommendation for expressing verifiable credentials on the web.
https://www.w3.org/TR/vc-data-model/ -
GDPR Article 4 - Definitions
Official definitions from Regulation (EU) 2016/679, including Article 4(5) on pseudonymization.
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679 -
GDPR Recital 26 - Principles of Data Protection
Clarifies that pseudonymized personal data remains subject to GDPR; anonymized data where the subject cannot be identified falls outside the regulation's scope.
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
Additional Resources
Standards Organizations
- ISO/IEC 27001 - Information security management systems
- W3C Decentralized Identifiers (DIDs) - Decentralized identifier specification
- OpenID Connect - Identity layer on top of OAuth 2.0
- FIDO Alliance - Authentication standards
Privacy Regulations
- European Data Protection Board - GDPR guidance and opinions
- California Consumer Privacy Act (CCPA) - California privacy law
- PIPEDA - Canadian privacy law
Technical Resources
- NIST SP 800-63 - Digital Identity Guidelines
- RFC 7519 - JSON Web Token (JWT)
- RFC 6749 - OAuth 2.0 Authorization Framework
Identity Initiatives
- Secure Identity Alliance - Identity standards development
- Decentralized Identity Foundation - Open standards for decentralized identity
- Trust Over IP Foundation - Digital trust infrastructure
Verification Methodology
Content on this site follows these verification principles:
- Definitions: Derived from authoritative sources (GDPR, NIST, PCI DSS)
- Technical claims: Supported by specifications (IETF, W3C) or peer-reviewed research
- Best practices: Based on industry guidance (OSIA, FATF, Kantara)
- Examples: Clearly labeled as illustrative, not endorsements
- Design considerations: Labeled as architectural guidance, not prescriptive requirements
Note on Currency
Standards and regulations evolve. Readers should verify current versions of referenced documents. Links were verified as of the publication date of this content.
Disclaimer: This website provides educational content about identity tokenization concepts and architectures. It does not constitute legal advice. Organizations should consult qualified legal and technical professionals when implementing identity systems. References to specific products or services do not constitute endorsement.