Digital Certificate Operation in a Complex Environment
homebackgroundprojectdocumentsdesignglossary
navigation search
search query:

The DCOCE Glossary

1. Glossary A - C

Term Meaning Explanation
A2Z Akenti access to Zetoc Project within the JISC AAA programme to look at the Akenti authorisation system using digital certificates.
AA Attribute Authority IETF definition: "An authority trusted by one or more users to create and sign attribute certificates. It is important to note that the AA is responsible for the attribute certificates during their whole lifetime, not just for issuing them".
AAA Authentication, Authorisation and Accounting Programme JISC Programme to which DCOCE belongs.
Click here for more information.
AC Attribute Certificate A data structure containing a set of attributes for an end-entity and some other information, which is digitally signed with the private key of the AA which issued it.
Akenti System/research project looking at controlling access (e.g. PKI), but mostly attribute control/authorization (e.g. PMI) using digitally signed certificates. From the project web site: "Akenti is a security model and architecture that is intended to provide scalable security services in highly distributed network environments".
Assurance Levels Certificate Policies often define different levels of security assurance. For example it might not be appropriate to store your biscuit recipes in a hardware cryptographic module or to do your online banking using an unencrypted public network. To allow you to choose the "right" level of security, PKI allows certificates with different security levels.
'Rudimentary' or 'Basic' levels might be choosen if security requirements are not very high. For example in a 'rudimentary' security level your certificates and keys might be generated centrally and then delivered to you by email or on a floppy disk. Higher level assurance levels most likely will require hardware cryptography modules for all components within a PKI, including CA, RA and all end-entities.
Asymmetric Encryption Asymmetric encryption was invented independently by academic cryptographers at Stanford University in the USA and by military cryptographers at Britain's GCHQ. It is the basis of public key infrastructure (see PKI), although a 'public' key is not strictly necessary. Information is encrypted by using one key of a pair and can only be de-crypted using the other key. In public key encryption, this allows anyone to communicate securely with an entity using his/her/its public key as the entity can de-crypt the information using their (secret) private key.
Athens The Athens Access Management System (AMS) controls access to web- based subscription services. Project partner in the DCOCE project. (See some background to Athens' role in this project).
Service provider to higher education and healthorganisations for access to many web-based (and some non-web based) information services, searchable databases etc. Users obtain an Athens username and password and can then access themultiple services. However, see AthensDA for 'devolved authentication' back to the user's home institution.
http://www.athensams.net/
"Athens is, fundamentally, a central repository of organisations, usernames and passwords with associated rights."
AthensDA Athens Devolved Authentication Service (at EduServ) An Access Management System for controlling access to web-based subscription services. Athens has developed the technology to accept X.509 certificates as an alternative means of authentication but AthensDA will usually be configured to return the user to their home institution and then for the institution to pass them back to Athens with an authentication token (plus a component called a 'permission set' which is concerned with authorisation).
Click here for more information.
Authentication The act of verifying that an electronic identity (username, login name etc.) is being employed by the entity, person or process to whom it was issued.
Strictly it should mean "establishing the validity of something, such as an identity". This procedure can be very difficult indeed.
See also Identification.
See our primer document for more background on identification and authentication.
Authorization (Usually spelled as Authorisation in UK English) Associating rights or capabilities with a subject.
Usually, authorisation follows authentication or identification. Once, the entity is identified, and/or authenticated, the 'service' will check what the entity is allowed to do or see.
Basic Level Assurance See Assurance Levels.
Blowfish Block encryption algorithm invented by Bruce Schneier. Symmetric key algorithm. Uses variable length key up to 448 bits. Algorithm is unpatented and in public domain. Click here for more information. See also Twofish.
CA Certification Authority An agency or organisation that is able to publish and give out digital certificates (but can it be trusted?) IETF definition: "An authority trusted by one or more users to create and assign public key certificates. Optionally the CA may create the user's keys. It is important to note that the CA is responsible for the public key certificates during their whole lifetime (what includes renewal, revocation, etc.), not just for issuing them."
See also the following Open Source implementations: OpenCA and pyCA.
CDP CRL Distribution Point Field (extension) on X.509 v3 certificates that (in theory) tells programs reading the certificates where to get the certificate revocation list (CRL).
CESG Communications-Electronics Security Group CESG Looks after and advises on security issues for the UK Government. The body is the the Information Assurance arm of GCHQ (Government Communications Headquarters - the primary foreign intelligence gathering body in the UK).
See http://www.cesg.gov.uk/
Certificate See Public Key Certificate
CMP Certificate Management Protocol CMP is a management protocol used for communication between PKI components standardised in RFC2510 by the IETF.
IETF definition: Management protocols are required to support on-line interactions between Public Key Infrastructure (PKI) components. For example, a management protocol might be used between a Certificate Authority (CA) and a client system with which a key pair is associated, or between two CAs that issue cross-certificates for each other.
CP Certificate Policy A set of rules that indicate the applicability of the certificate to a particular community and/or class of applications with common security requirements (at a higher level than the detailed CPS). IETF definition: "A named set of rules that indicates the applicability of a public key certificate to a particular community or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of public key certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range".
CPS Certification Practices Statement Plan for use that conforms to X.509 Certificate Policy. Describes the practices employed in issuing and managing certificates (including the legal framework). IETF definition: "A statement of the practices which a CA employs in issuing public key certificates".
cRA Central Registration Authority Many Registration Authorities RAs exist in the DCOCE project architecture, but there is one central point to which requests are made, before they are passed on to the Certification Authority (CA). This central point is under the control of the cRA - where logs and audits are kept/actioned and from where the devolution to the actual (local to the user) RAs takes place. The server(s) or holding point for certificate requests (and their signed returns) is therefore referred-to as the cRA system (which also includes other functionality).
Cracking Cracking can mean to break into a computer system, to run an attack on a password database or remove copy protection from software.
CRL Certificate Revocation List A list containing every certificate that has been revoked by the Certification Authority (CA) that has not been expired for other reasons. (Ideally, a CA issues a CRL at regular intervals. Besides listing certificates that have been revoked, the CRL states how long it will be valid and where to get the next CRL.) It is likely that this technology is practically flawed as CRLs can become very large, so development is continuinginto real-time certificate validation (e.g. XML Key Management Specification XKMS and the Security Assertions Markup Language - SAML). Seealso OCSP.
Cryptography Cryptography is a collection of mathematical techniques for protecting information. Information is made unintelligableby the use of a key and is later made readable by the use ofthe same, or another, key. See also Encryption.
See our primer document for more background on cryptography and PKI.

Up: Contents Next: 2. Glossary D - F

Sections in this document:

Oxford University Computing Services Mimas Athens access management services Oxfore e-Science Centre Systems and Electronic Resources Service Joint Information Systems Committee