| |
|
| Dictionary of Terms |
| |
|
| A |
| |
|
ACCEPT (A CERTIFICATE) - To demonstrate approval of a certificate by a certificate applicant while knowing or having notice of its informational bodytexts, in accordance with the CPS.
ACCESS - A specific type of interaction between a submission and communications or information resources that results in a flow of information, the exercise of control, or the activation of a process
ACCREDITATION - A formal declaration by a Ignite--designated approving authority that a particular information system, professional or other employee or contractor, or organisation is approved to perform certain duties and to operate in a specific security mode, using a prescribed set of safeguards.
AFFILIATED CERTIFICATE - A certificate issued to an affiliated individual. (Cf., AFFILIATED INDIVIDUAL)
AFFILIATED INDIVIDUAL - An individual who is affiliated with an organisation (i) as an officer, director, employee, partner, contractor, intern, or other person within the organisation, or (ii) as a person maintaining a contractual relationship with the organisation where the organisation has business records providing strong assurances of the identity of such person. (Cf., AFFILIATED CERTIFICATE)
AFFIRM / AFFIRMATION - To state or indicate by conduct that data is correct or information is true.
ALIAS - A pseudonym.
APPLICANT - (See CA APPLICANT; CERTIFICATE APPLICANT)
ARCHIVE - To store records and associated journals for a given period of time for security, backup, or auditing purposes.
ASSURANCES - Statements or conduct intended to convey a general intention, supported by a good-faith effort, to provide and maintain a specified service by an IA. "Assurances" does not necessarily imply a guarantee that the services will be performed fully and satisfactorily. Assurances are distinct from insurance, promises, guarantees, and warranties, unless otherwise expressly indicated.
AUDIT - A procedure used to validate that controls are in place and adequate for their purposes. Includes recording and analysing activities to detect intrusions or abuses into an information system. Inadequacies found by an audit are reported to appropriate management personnel.
AUTHENTICATE - (See AUTHENTICATION)
AUTHENTICATED RECORD - A signed document with appropriate assurances of authentication or a message with a digital signature verified by a valid Class 3 certificate by a relying party. However, for suspension and revocation notification purposes, the digital signature contained in such notification message must have been created by the private key corresponding to the public key contained in the certificate for the applicable certificate class.
AUTHENTICATION - A process used to confirm the identity of a person or to prove the integrity of specific information. Message authentication involves determining its source and verifying that it has not been modified or replaced in transit. (Cf., VERIFY (A DIGITAL SIGNATURE))
AUTHORISATION - The granting of rights, including the ability to access specific information or resources.
AVAILABILITY - The extent to which information or processes are reasonably accessible and usable, upon demand, by an authorised entity, allowing authorised access to resources and timely performance of time-critical operations.
|
| |
|
| B |
| |
|
|
BINDING - An affirmation by an IA (or its LRA) of the relationship between a named entity and its public key.
|
| |
|
| C |
| |
|
CA APPLICATION (NON-IGNITE CA APPLICATION)
- The application submitted to the applicable Ignite PCA by a non-Ignite entity requesting to become a certification authority or subordinate certification authority, and requesting an IA certificate, within Ignite's public certification services.
CA APPLICANT
A person who submits a CA application to Ignite requesting to become a CA or subordinate CA. (Cf., SUBSCRIBER)
CERTIFICATE (PUBLIC KEY CERTIFICATE)
A message (see definition for MESSAGE) that, at least, states a name or identifies the IA, identifies the subscriber, contains the subscriber's public key, identifies the certificate's operational period, contains a certificate serial number, and is digitally signed by the IA. All references to a "Class [1 or 3] certificate" or to a "certificate" without a modifying adjective are intended as references to both "normal" and "provisional" certificates, unless the context requires otherwise. References to a certificate refer exclusively to certificates issued by an IA. (Cf., PROVISIONAL CERTIFICATE)
CERTIFICATE APPLICANT
A person or authorised agent that requests the issuance of a public key certificate by an IA. (Cf., CA APPLICANT; SUBSCRIBER)
CERTIFICATE APPLICATION
A request from a certificate applicant (or authorised agent) to an IA for the issuance of a certificate. (Cf., CERTIFICATE APPLICANT; CERTIFICATE SIGNING REQUEST)
CERTIFICATE CHAIN
An ordered list of certificates containing an end-user subscriber certificate and IA certificates (See VALID CERTIFICATE)
CERTIFICATE EXPIRATION
The time and date specified in the certificate when the operational period ends, without regard to any earlier suspension or revocation.
CERTIFICATE EXTENSION
An extension field to a certificate which may convey additional information about the public key being certified, the certified subscriber, the certificate issuer, and/or the certification process. Standard extensions are defined in Amendment 1 to ISO/IEC 9594-8:1995 (X.509). Custom extensions can also be defined by communities of interest.
CERTIFICATE HIERARCHY
A Ignite PCS domain of IAs, each categorised with respect to its role in a "tree structure" of subordinate IAs. An IA issues and manages certificates for end-user subscribers and/or for one or more IAs at the next level. Note: an IA in a trust hierarchy must observe uniform practices addressing issues such as naming, maximum number of levels, etc., to assure integrity of the domain and thereby ensure uniform accountability, auditability, and management through the use of trustworthy operational processes.
CERTIFICATE ISSUANCE
The actions performed by an IA in creating a certificate and notifying the certificate applicant (anticipated to become a subscriber) listed in the certificate of its bodytexts.
CERTIFICATE MANAGEMENT
Certificate management includes, but is not limited to storage, dissemination, publication, revocation, and suspension of certificates. An IA undertakes certificate management functions by serving as a registration authority for subscriber certificates. An IA designates issued and accepted certificates as valid by publication.
CERTIFICATE OF AUTHENTICITY
A document issued by an authorised official of the jurisdiction in which an acknowledgment by a notary was taken, such as the secretary of state of a state (U.S.) to authenticate the status of a notary.
CERTIFICATE REVOCATION
(See REVOKE A CERTIFICATE)
CERTIFICATE REVOCATION LIST (CRL)
A list of identified certificates that have been revoked prior to their expiration dates. The list generally indicates the CRL issuer's name,the date of issue, the revoked certificates' serial numbers, and the specific times for revocation.
CERTIFICATE SERIAL NUMBER
A value that unambiguously identifies a certificate generated by an IA.
CERTIFICATE SIGNING REQUEST (CSR)
A machine-readable form of a certificate application. (Cf., CERTIFICATE APPLICATION)
CERTIFICATION / CERTIFY
The process of issuing a certificate by an IA.
CERTIFICATION AUTHORITY (CA)
A person (see definition for PERSON) authorised to issue certificates. Under the Ignite PCS, a CA is subordinate to a PCA. (Cf., REGISTRATION AUTHORITY; TRUSTED THIRD PARTY)
CERTIFICATION PRACTICE STATEMENT (CPS)
This document, as revised from time to time (representing Ignite's statement of practices an IA employs in issuing certificates).
CERTIFIER (See ISSUING AUTHORITY)
CHALLENGE PHRASE
A set of numbers and/or letters that are chosen by a certificate applicant, communicated to the IA with a certificate application, and used by the IA to authenticate the subscriber for various purposes as required by the CPS. A challenge phrase is also used by a secret share holder to authenticate himself, herself, or itself to a secret share issuer. The Ignite challenge phrase is case sensitive.
CLASS [1, 2, OR 3] CERTIFICATE
A certificate of a specified level of trust.
COMMERCIAL REASONABLENESS
In the context of electronic commerce, the implementation and use of technology, controls, and administrative and operational procedures that reasonably ensure system and message trustworthiness.
COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE
A Class 3 certificate that is issued to organisations only and is used for software validation. (Cf., INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE; SOFTWARE VALIDATION)
COMMON KEY
Some systems of cryptographic hardware require arming through a secret-sharing process and require that the last of these shares remain physically attached to the hardware in order for it to stay armed. In this case, "common key" refers to this last share. It is not assumed to be secret as it is not continually in an individual's possession.
COMPROMISE
A violation (or suspected violation) of a security policy, in which an unauthorised disclosure of, or loss of control over, sensitive information may have occurred. (Cf., DATA INTEGRITY)
CONFIDENTIALITY
The condition in which sensitive data is kept secret and disclosed only to authorised parties.
CONFIRM
To ascertain through appropriate inquiry and investigation. (Cf., AUTHENTICATION; VERIFY A DIGITAL SIGNATURE)
CONFIRMATION OF CERTIFICATE CHAIN
The process of validating a certificate chain and subsequently validating an end-user subscriber certificate.
CONTROLS
Measures taken to ensure the integrity and quality of a process.
CORRESPOND - To belong to the same key pair. (See also PUBLIC KEY; PRIVATE KEY)
CROSS-CERTIFICATION - A condition in which either or both an Ignite PCA and a non-Ignite certificate issuing entity (representing another certification domain) issues a certificate having the other as the subject of that certificate.
CRYPTOGRAPHIC ALGORITHM - A clearly specified mathematical process for computation; a set of rules that produce a prescribed result.
CRYPTOGRAPHY (Cf., PUBLIC KEY CRYPTOGRAPHY) - - The mathematical science used to secure the confidentiality and authentication of data by replacing it with a transformed version that can be reconverted to reveal the original data only by someone holding the proper cryptographic algorithm and key.
- A discipline that embodies the principles, means, and methods for transforming data in order to hide its information bodytext, prevent its undetected modification, and/or prevent its unauthorised uses.
CRYPTOMODULE - A trustworthy implementation of a cryptosystem which safely performs encryption and decryption of data.
|
| |
|
| D |
| |
|
|
DATA - Programs, files, and other information stored in, communicated, or processed by a computer.
DATABASE - A set of related information created, stored, or manipulated by a computerised management information system.
DATA CONFIDENTIALITY - (See CONFIDENTIALITY)
DATA INTEGRITY - A condition in which data has not been altered or destroyed in an unauthorised manner. (See also THREAT; cf., COMPROMISE)
DEMO CERTIFICATE - A certificate issued by an IA to be used exclusively for demonstration and presentation purposes and not for any secure or confidential communications. Demo certificates may be used by authorised persons only.
DENIAL OF SERVICE - (See AVAILABILITY)
DIGITAL ID(See CERTIFICATE) - An Ignite service mark and brand name for a certificate.
DIGITAL SIGNATURE - A transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key and whether the message has been altered since the transformation was made.
DIRECTORY (Cf., REPOSITORY)
DISTINGUISHED NAME - A set of data that identifies a real-world entity, such as a person in a computer-based context. (e.g., countryName=GB, county=Suffolk, organisationName=Electronic Inc., commonName=JohnSmith).
DOCUMENT - A record consisting of information inscribed on a tangible medium such as paper rather than computer-based information. (Cf., MESSAGE; RECORD)
|
| |
|
| E |
| |
|
|
ELECTRONIC MAIL ("E-MAIL") - Messages sent, received or forwarded in digital form via a computer-based communication mechanism.
EMPLOYEE IN GOOD STANDING - A non-probationary employee that has not been terminated or suspended, and is not the subject of pending disciplinary action, by his or her employer.
ENCRYPTION - The process of transforming plaintext data into an unintelligible form (ciphertext) such that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).
END-USER SUBSCRIBER - A subscriber which is not also an IA.
ENHANCED NAMING - The use of an extended organisation field (OU=) in an X.509 v3 certificate.
ENROLMENT - The process of a certificate applicant's applying for a certificate.
ENTITY - (See PERSON)
EXPORT CONTROL CERTIFICATE - A certificate-based service that allows approved server certificate subscribers to operate in a strong encryption mode, and as a result, allows a browser accessing such a server to also operate in such strong encryption mode.
EXTENSIONS - Extension fields in X.509 v3 certificates. (See X.509)
|
| |
|
| F |
| |
|
|
FILE TRANSFER PROTOCOL (FTP) - The application protocol that offers file system access from the Internet suite of protocols.
FREE CERTIFICATE - A certificate issued by an IA such that the IA does not charge the subscriber a fee for the certificate or otherwise receive compensation.
FTP - (See FILE TRANSFER PROTOCOL
|
| |
|
| G |
| |
|
|
GENERATE A KEY PAIR - A trustworthy process of creating private keys during certificate application whose corresponding public key are submitted to the applicable IA during certificate application in a manner that demonstrates the applicant's capacity to use the private key.
|
| |
|
| H |
| |
|
|
HASH (HASH FUNCTION)
- An algorithm that maps or translates one set of bits into another (generally smaller) set in such a way that:
- A message yields the same result every time the algorithm is executed using the same message as input.
- It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm.
- It is computationally infeasible to find two different messages that produce the same hash result using the same algorithm.
|
| |
|
| I |
| |
|
|
IA ) - (See ISSUING AUTHORITY
IA CERTIFICATE - A certificate issued by an authorised superior IA to a subordinate IA. (See SUPERIOR IA; SUBORDINATE IA; cf., CERTIFICATE)
IDENTIFICATION/IDENTITY - The process of confirming the identity of a person. Identification is facilitated in public key cryptography by means of certificates.
IDENTITY - A unique piece of information that marks or signifies a particular entity within a domain. Such information is only unique within a particular domain.
IGNITE NAMING AUTHORITY - A Ignite registration authority that establishes and enforces controls over and has decision-making authority regarding the issuance of relative distinguished names for all IAs (but not for end-user subscribers). (Cf., NAMING AUTHORITY). IGNITE PUBLIC CERTIFICATION SERVICES (PCS) - The certification system provided by Ignite and any Ignite-authorised IAs described in this CPS. IGNITE QUALIFIER - A data syntax facilitating the representation of a set of values which restrict the meaning of the Ignite CPS. The qualifier value augments the standard certificate policy extension present in all certificates according to the rules defined by X.509 for that extension type. IGNITE ROOT (TR) - An IA that registers PCAs by registering the self-signed public key of each PCA.
INCORPORATE BY REFERENCE - To make one message a part of another message by identifying the message to be incorporated, with information that enables the receiving party to access and obtain the incorporated message in its entirety, and by expressing the intention that it be part of the incorporating message. Such an incorporated message shall have the same effect as if it had been fully stated in the message to the extent permitted by law.
INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE - A Class 2 certificate that is issued to individuals only and is used for software validation. (Cf., COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE; SOFTWARE VALIDATION)
INTEGRITY - (See DATA INTEGRITY)
INTEGRITY SERVICES Integrity services provide certificates to software publishers who desire to digitally sign their software publications to facilitate their customers' (end-users') ability to undertake software validation.
ISSUING A CERTIFICATE - (See CERTIFICATE ISSUANCE)
ISSUER - (See ISSUING AUTHORITY)
ISSUING AUTHORITY (IA) - Within Ignite's PCS, the TR, PCA, or CA (or subordinate CA) that issues, suspends, or revokes a certificate. IAs are identified by a distinguished name on all certificates and CRLs they issue. With prior approval by Ignite, an IA may delegate the responsibility to evaluate and approve or reject certificate applications to one or more LRAs not owned or operated by the IA under CPS Section 2.1.3. When such delegation occurs and where the context requires, the term "IA" in this CPS shall include such LRAs with respect to the delegating IA's obligations, representations, warranties, and disclaimers.
|
| |
|
| J |
| |
|
|
-
|
| |
|
| K |
| |
|
|
KEY GENERATION - The trustworthy process of creating a private key/public key pair. The public key is supplied to an IA during the certificate application process.
KEY PAIR - A private key and its corresponding public key. The public key can verify a digital signature created by using the corresponding private key. In addition, depending upon the type of algorithm implemented, key pair components can also encrypt and decrypt information for confidentiality purposes, in which case a private key uniquely can reveal information encrypted by using the corresponding public key.
|
| |
|
| L |
| |
|
|
LOCAL REGISTRATION AUTHORITY (LRA)
- An entity approved by an IA to assist persons in applying for certificates, revoking (or where authorised, suspending) their certificates, or both and also approving such applications. An LRA is not the agent of a certificate applicant. An LRA may not delegate the authority to approve certificate applications other than to authorised LRAAs of the LRA. (Cf., LOCAL REGISTRATION AUTHORITY ADMINISTRATOR)
LOCAL REGISTRATION AUTHORITY ADMINISTRATOR (LRAA) - An employee of an LRA that is responsible for carrying out the functions of an LRA. (Cf., LOCAL REGISTRATION AUTHORITY)
|
| |
|
| M |
| |
|
|
MESSAGE - A digital representation of information; a computer-based record. A subset of RECORD. (Cf., RECORD)
MESSAGE INTEGRITY - (See DATA INTEGRITY)
MICROSOFT AUTHENTICODETM - (See SOFTWARE VALIDATION)
|
| |
|
| N |
| |
|
|
NAME - A set of identifying attributes purported to describe an entity of a certain type.
NAMING - Naming is the assignment of descriptive identifiers to objects of a particular type by an authority which follows specific issuing procedures and maintains specific records pertinent to an identified registration process. (Cf.,NAMING AUTHORITY; IGNITE NAMING AUTHORITY)
NAMING AUTHORITY - A body which executes naming policy and procedures and has control over the registration and assignment of primitive (basic) names to objects of a particular class. (Cf., NAMING; IGNITE NAMING AUTHORITY)
NON-REPUDIATION - Provides proof of the origin or delivery of data in order to protect the sender against a false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. Note: Only a trier of fact (someone with the authority to resolve disputes) can make an ultimate determination of nonrepudiation. By way of illustration, a digital signature verified pursuant to this CPS can provide proof in support of a determination of nonrepudiation by a trier of fact, but does not by itself constitute nonrepudiation.
NON-VERIFIED SUBSCRIBER INFORMATION (NSI) - Information submitted by a certificate applicant to an IA, and included within a certificate, which has not been confirmed by the IA and for which the IA provides no assurances other than that the information was submitted by the certificate applicant. Information such as titles, professional degrees, accreditations, and Registration Field Information are considered NSI unless otherwise indicated.
NON-Ignite IA - An IA that is not owned or operated by Ignite. Cf., ISSUING AUTORITY)
NON-IGNITE ORGANISATIONAL LRA - An LRA that is not owned or operated by Ignite and is restricted to performing LRA functions in connection with certificates issued to affiliated individuals that are affiliated with it. (See CPS Section 2.5.4; Cf., LOCAL REGISTRATION AUTHORITY; AFFILIATED INDIVIDUALS)
NORMAL CERTIFICATE - (See CERTIFICATE)
NOTICE - The result of notification in accordance with this CPS.
NOTIFY - To communicate specific information to another person as required by this CPS and applicable law.
|
| |
|
| O |
| |
|
|
ON-LINE - Communications that provide a real-time connection to the Ignite PCS.
OPERATIONAL CERTIFICATE - A certificate which is within its operational period at the present date and time or at a different specified date and time, depending on the context.
OPERATIONAL PERIOD - The period starting with the date and time a certificate is issued (or on a later date and time certain if stated in the certificate) and ending with the date and time on which the certificate expires or is earlier suspended or revoked.
ORGANISATION - An entity with which a user is affiliated. An organisation may also be a user.
ORIGINATOR - A person by whom (or on whose behalf) a data message is purported to have been generated, stored, or communicated. It does not include a person acting as an intermediary.
|
| |
|
| P |
| |
|
|
PARTIES - The entities whose rights and obligations are intended to be controlled by this CPS. These entities may include certificate applicants, IAs, subscribers, and relying parties. (See USER; ISSUING AUTHORITY; RELYING PARTY)
PASSWORD (PASS PHRASE; PIN NUMBER) - Confidential authentication information, usually composed of a string of characters used to provide access to a computer resource.
PC CARD (See also SMART CARD) - A hardware token compliant with standards promulgated by the Personal Computer Memory Card International Association (PCMCIA) providing expansion capabilities to computers, including the facilitation of information security.
PERSON - An individual or an organisation (or a device under the control of an individual or organisation) capable of signing or verifying a message, either legally or as a matter of fact. (A synonym of ENTITY.)
PERSONAL PRESENCE - The act of appearing (physically rather than virtually or figuratively) before an LRA or its designee and proving one's identity as a prerequisite to certificate issuance under certain circumstances.
PKI HIERARCHY - A set of IAs whose functions are organised according to the principle of delegation of authority and related to each other as subordinate and superior IA.
PLEDGE - (See SOFTWARE PUBLISHER'S PLEDGE)
PRIMARY CERTIFICATION AUTHORITY (PCA) - A person that establishes practices for all certification authorities and users within its domain.
PRIVATE KEY - A mathematical key (kept secret by the holder) used to create digital signatures and, depending upon the algorithm, to decrypt messages or files encrypted (for confidentiality) with the corresponding public key. (See also PUBLIC KEY CRYPTOGRAPHY; PUBLIC KEY)
PROVISIONAL CERTIFICATE - A Class 2 certificate during the first 21 days of its operational period that is issued upon the successful completion of all required IA-internal validation procedures with respect to a Class 2 certificate application. The provisional state denotes that further validation of the certificate application regarding the subscriber's identity will be completed through a postal address "mail-back" procedure. (Cf., CERTIFICATE)
PUBLIC CERTIFICATION SERVICES - (See IGNITE PUBLIC CERTIFICATION SERVICES)
PUBLIC KEY - A mathematical key that can be made publicly available and which is used to verify signatures created with its corresponding private key. Depending on the algorithm, public keys are also used to encrypt messages or files which can then be decrypted with the corresponding private key. (See also PUBLIC KEY CRYPTOGRAPHY; PRIVATE KEY)
PUBLIC KEY CERTIFICATE - (See CERTIFICATE)
PUBLIC KEY CRYPTOGRAPHY (Cf.,CRYPTOGRAPHY) - A type of cryptography that uses a key pair of mathematically related cryptographic keys. The public key can be made available to anyone who wishes to use it and can encrypt information or verify a digital signature; the private key is kept secret by its holder and can decrypt information or generate a digital signature.
PUBLIC KEY INFRASTRUCTURE (PKI) - The architecture, organisation, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. The PKI consists of systems which collaborate to provide and implement the PCS and possibly other related services.
PUBLIC/PRIVATE KEY PAIR - (See PUBLIC KEY; PRIVATE KEY; KEY PAIR)
PUBLISH / PUBLICATION - To record or file information in the Ignite repository and optionally in one or more other repositories in order to disclose and make publicly available such information in a manner that is consistent with this CPS and applicable law.
|
| |
|
| Q |
| |
|
|
QUALIFIER - (See IGNITE QUALIFIER)
|
| |
|
| R |
| |
|
|
RECIPIENT (of a DIGITAL SIGNATURE) - A person who receives a digital signature and who is in a position to rely on it, whether or not such reliance occurs. (Cf., RELYING PARTY)
RECORD - Information that is inscribed on a tangible medium (a document) or stored in an electronic or other medium and retrievable in perceivable form. The term "record" is a superset of the two terms "document" and "message". (Cf., DOCUMENT; MESSAGE)
RE-ENROLLMENT (Cf., RENEWAL)
REGISTERED STRING - A class of object subject to registration and recording procedures which demonstrates the value is unambiguous within the records of the registration authority. The type of value recorded is a string of characters.
REGISTRATION AUTHORITY - An entity trusted to register other entities and assign them a relative distinguished value such as a distinguished name or, a hash of a certificate. A registration scheme for each registration domain ensures that each registered value is unambiguous within that domain. (Cf., CERTIFICATION AUTHORITY)
REGISTRATION FIELD INFORMATION - Country, post code, age, and gender data included within designated certificates at the option of the subscriber.
RELATIVE DISTINGUISHED NAME (RDN) - A set of attributes compromising an entity's distinguished name that distinguishes the entity from others of the same type.
RELY / RELIANCE (on a CERTIFICATE and DIGITAL SIGNATURE) - To accept a digital signature and act in a manner that could be detrimental to oneself were the digital signature to be ineffective. (Cf., RELYING PARTY; RECIPIENT)
RELYING PARTY - A recipient who acts in reliance on a certificate and digital signature. (Cf., RECIPIENT; RELY OR RELIANCE (on a CERTIFICATE and DIGITAL SIGNATURE))
RENEWAL - The process of obtaining a new certificate of the same class and type for the same subject once an existing certificate has expired.
REPOSITORY - A database of certificates and other relevant information accessible on-line.
REPUDIATION (See also NON-REPUDIATION) - The denial or attempted denial by an entity involved in a communication of having participated in all or part of the communication.
REVOKE A CERTIFICATE - The process of permanently ending the operational period of a certificate from a specified time forward.
ROOT - The IA that issues the first certificate in a certification chain. The root's public key must be known in advance by a certificate user in order to validate a certification chain. The root 's public key is made trustworthy by some mechanism other than a certificate, such as by secure physical distribution.
RSA - A public key cryptographic system invented by Rivest, Shamir & Adelman.
|
| |
|
| S |
| |
|
|
SECRET SHARE - A portion of a cryptographic secret split among a number of physical tokens.
SECRET SHARE HOLDER - An authorised holder of a physical token containing a secret share.
SECRET SHARE ISSUER - The person designated by an IA to create and distribute secret shares.
SECRET SHARING (See also SECRET SHARE) - The practice of distributing secret shares of a private key to a number of secret share holders; threshold-based splitting of keys.
SECURE CHANNEL - A cryptographically enhanced communications path that protects messages against perceived security threats.
SECURITY - The quality or state of being protected from unauthorised access or uncontrolled losses or effects. Absolute security is impossible to achieve in practice and the quality of a given security system is relative. Within a state-model security system, security is a specific "state" to be preserved under various operations.
SECURITY POLICY - A document which articulates requirements and good practices regarding the protections maintained by a trustworthy system in support of the PCS.
SECURITY SERVICES - Services provided by a set of security frameworks and performed by means of certain security mechanisms. Such services include, but are not limited to, access control, data confidentiality, and data integrity.
SELF-SIGNED PUBLIC KEY - A data structure that is constructed the same as a certificate but that is signed by its subject. Unlike a certificate, a self-signed public key cannot be used in a trustworthy manner to authenticate a public key to other parties. A PCA self-signed public key digitally signed by the TR shall constitute a certificate. (Cf., CERTIFICATE)
SERIAL NUMBER - (See CERTIFICATE SERIAL NUMBER)
SERVER - A computer system that responds to requests from client systems.
SIGN - To create a digital signature for a message, or to affix a signature to a document, depending upon the context.
SIGNATURE - A method that is used or adopted by a document originator to identify himself or herself, which is either accepted by the recipient or its use is customary under the circumstances. (Cf., DIGITAL SIGNATURE)
SIGNER - A person who creates a digital signature for a message, or a signature for a document.
SMART CARD - A hardware token that incorporates one or more integrated circuit (IC) chips to implement cryptographic functions and that possesses some inherent resistance to tampering.
S/MIME - A specification for E-mail security exploiting a cryptographic message syntax in an Internet MIME environment.
SOFTWARE PUBLISHER'S CERTIFICATE REVOCATION STATUS SERVICE - An automated, on-line status service used to support software validation, provided exclusively for software publisher's certificates. The service is automatically (and exclusively) invoked upon the downloading of software digitally signed with a software publisher's certificate. That is, upon receipt of such digitally signed software, the Web browser's authentication module automatically establishes a connection to Ignite and queries a Ignite server to validate the software publisher's certificate. The service returns to the Web browser a digitally signed status message. The service's data is Ignite repository-based and is updated daily. The service is exclusively available to users of Microsoft Internet Explorer Web browsers. (Cf., SOFTWARE PUBLISHER'S PLEDGE; SOFTWARE VALIDATION)
SOFTWARE PUBLISHER - A subscriber who obtained a special certificate used to digitally sign software with the Microsoft AuthenticodeTM system. Subscribers may also obtain other Class 2 and 3 certificates that may be used to sign bodytext, including software, but the subscribers of such other certificates are not software publishers as defined in the CPS. (Cf., INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE; COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE)
SOFTWARE PUBLISHER'S CERTIFICATE REVOCATION STATUS SERVICE - An automated, on-line status service used to support software validation, provided exclusively for software publisher's certificates. The service is automatically (and exclusively) invoked upon the downloading of software digitally signed with a software publisher's certificate. That is, upon receipt of such digitally signed software, the Web browser's authentication module automatically establishes a connection to Ignite and queries a Ignite server to validate the software publisher's certificate. The service returns to the Web browser a digitally signed status message. The service's data is Ignite repository-based and is updated daily. The service is exclusively available to users of Microsoft Internet Explorer Web browsers. (Cf., SOFTWARE PUBLISHER'S PLEDGE; SOFTWARE VALIDATION)
SOFTWARE PUBLISHER'S PLEDGE - The representations and guarantees made by individual and commercial software publishers as stated in the CPS.
SOFTWARE VALIDATION - Ignite services which provide assurances in accordance with the CPS and the software publisher's pledge of an individual or commercial software publisher (for Microsoft AuthenticodeTM Only) that digitally-signed software was duly published by the subject of the corresponding Ignite-issued certificate and has not been modified since it was digitally signed. (Cf., INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE; COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE; SOFTWARE PUBLISHER'S PLEDGE; VALIDATION (OF CERTIFICATE APPLICATION))
SUBJECT (OF A CERTIFICATE) - The holder of a private key corresponding to a public key. The term "subject" can refer to both the equipment or device that holds a private key and to the individual person, if any, who controls that equipment or device. A subject is assigned an unambiguous name which is bound to the public key contained in the subject's certificate.
SUBJECT NAME - The unambiguous value in the subject name field of a certificate which is bound to the public key.
SUBORDINATE IA - Within the Ignite PKI architecture's hierarchy of IAs, each IA is either the TR, a PCA, a CA or a "subordinate CA". The subordinate IA of the TR is a PCA; the PCA's subordinate IA is a CA; a CA's subordinate IA is a subordinate CA. If present, a subordinate CA's subordinate IA is yet another subordinate CA. (Cf., SUPERIOR IA)
SUBSCRIBER - A person who is the subject of, has been issued a certificate, and is capable of using, and authorised to use, the private key that corresponds to the public key listed in the certificate. (See also SUBJECT; cf., CERTIFICATE APPLICANT; USER)
SUBSCRIBER AGREEMENT - The agreement executed between a subscriber and an IA for the provision of designated public certification services in accordance with this CPS.
SUBSCRIBER INFORMATION - Information supplied to a certification authority as part of a certificate application. (Cf., CERTIFICATE APPLICATION)
SUPERIOR IA - Within the Ignite PKI architecture's hierarchy of IAs, each IA is either the TR, a PCA, a CA or a "subordinate CA". The superior IA of a subordinate CA is either another subordinate CA or a CA; a CA's superior is a PCA; a PCA's superior is either the TR, or itself. The TR is its own superior IA. (Cf., SUBORDINATE IA)
|
| |
|
| T |
| |
|
|
TEST CERTIFICATE - A certificate issued by an IA for the limited purpose of internal technical testing. Test certificates may be used by authorised persons only. (See CPS Section 2.2.4).
THREAT - A circumstance or event with the potential to cause harm to a system, including the destruction, unauthorised disclosure, or modification of data and/or denial of service.
TIME STAMP - A notation that indicates (at least) the correct date and time of an action, and identity of the person or device that sent or received the time stamp.
TOKEN - A hardware security token containing a user's private key(s), public key certificate, and, optionally, a cache of other certificates, including all certificates in the user's certification chain.
TRANSACTION - A computer-based transfer of business information which consists of specific processes to facilitate communication over global networks.
TRUST - Generally, the assumption that an entity will behave substantially as expected. Trust may apply only for a specific function. The key role of this term in an authentication framework is to describe the relationship between an authenticating entity and an IA. An authenticating entity must be certain that it can trust the IA to create only valid and reliable certificates, and users of those certificates rely upon the authenticating entity's determination of trust.
TRUSTED PERSON - A person who serves in a trusted position and is qualified to serve in it in accordance with this CPS. (Cf., TRUST; TRUSTED POSITION; TRUSTED THIRD PARTY; TRUSTWORTHY SYSTEM)
TRUSTED POSITION - A role within an IA that includes access to or control over cryptographic operations that may materially affect the issuance, use, suspension, or revocation of certificates, including operations that restrict access to a repository.
TRUSTED ROOT - A trusted root is a public key which has been confirmed as bound to an IA by a user or system administrator. Software and systems implementing authentication based on public cryptography and certificates assume that this key value has been correctly obtained. It is confirmed by always accessing it from a trusted system repository to which only identified and trusted administrators have modification authorisations.
TRUSTED THIRD PARTY - In general, an independent, unbiased third party that contributes to the ultimate security and trustworthiness of computer-based information transfers. A trusted third party does not connote the existence of a trustor-trustee or other fiduciary relationship. (Cf., TRUST)
TRUSTWORTHY SYSTEM - Computer hardware, software, and procedures that are reasonably secure from intrusion and misuse; provide a reasonable level of availability, reliability, and correct operation; are reasonably suited to performing their intended functions; and enforce the applicable security policy. A trustworthy system is not necessarily a "trusted system" as recognised in classified government nomenclature.
TYPE (OF CERTIFICATE) - The defining properties of a certificate which limit its intended purpose to a class of applications uniquely associated with that type.
|
| |
|
| U |
| |
|
|
UNAMBIGUOUS NAME - (See DISTINGUISHED NAME)
UNIFORM RESOURCE LOCATOR (URL) - A standardised device for identifying and locating certain records and other resources located on the World Wide Web.
USER - An authorised entity that uses a certificate as applicant, subscriber, recipient or relying party, but not including the IA issuing the certificate. (Cf., CERTIFICATE APPLICANT; ENTITY; PERSON; SUBSCRIBER)
|
| |
|
| V |
| |
|
|
VALID CERTIFICATE
- A certificate issued by an IA and accepted by the subscriber listed in it.
VALIDATE A CERTIFICATE (i.e., of an END-USER SUBSCRIBER CERTIFICATE)
- The process performed by a recipient or relying party to confirm that an end-user subscriber certificate is valid and was operational at the date and time a pertinent digital signature was created.
VALIDATE A CERTIFICATE CHAIN
- For each certificate in a chain, the process performed by the recipient or relying party to authenticate the public key (in each certificate), confirm that each certificate is valid, was issued within the operational period of the corresponding IA certificate, and that all parties (IAs, end-user subscribers, recipients, and relying parties) have operated in accordance with this CPS as to all certificates in the chain.
VALIDATION (OF CERTIFICATE APPLICATION)
- The process performed by the IA (or its LRA) following submission of a certificate application as a prerequisite to approval of the application and the issuance of a certificate. (Cf., AUTHENTICATION; SOFTWARE VALIDATION)
VALIDATION (OF SOFTWARE) - (See SOFTWARE VALIDATION)
VERIFY (a DIGITAL SIGNATURE) - In relation to a given digital signature, message, and public key, to determine accurately that (i) the digital signature was created during the operational period of a valid certificate by the private key corresponding to the public key contained in the certificate and (ii) the associated message has not been altered since the digital signature was created. (Cf., AUTHENTICATION; CONFIRM)
|
| |
|
| W |
| |
|
|
WORLD WIDE WEB (WWW) - A hypertext-based, distributed information system in which users may create, edit, or browse hypertext documents. A graphical document publishing and retrieval medium; a collection of linked documents that reside on the Internet.
WRITING - Information in a record that is accessible and usable for subsequent reference.
|
| |
|
| X |
| |
|
|
X.509 - The ITU-T (International Telecommunications Union-T) standard for certificates. X.509 v3 refers to certificates containing or capable of containing extensions.
|
| |
|
| Y |
| |
|
|
-
|
| |
|
| Z |
| |
|
|
-
|
|
|
|
|
