Akenti access to Zetoc
Project within the JISC
programme to look at the Akenti authorisation
system using digital certificates.
"An authority trusted by one or more
users to create and sign attribute certificates. It is
important to note that the AA is responsible for the
attribute certificates during their whole lifetime, not
just for issuing them".
Authentication, Authorisation and Accounting Programme
Programme to which
for more information.
||A data structure containing a set of attributes for an
some other information, which is digitally
signed with the private key of the AA which issued it.
||System/research project looking at controlling access (e.g.
PKI), but mostly
attribute control/authorization (e.g. PMI)
using digitally signed certificates.
From the project web site: "Akenti is a security model
and architecture that is intended to provide scalable
security services in highly distributed network
often define different levels of security assurance. For
example it might not be appropriate to store your biscuit
recipes in a hardware cryptographic module or to do your
online banking using an unencrypted public network. To allow
you to choose the "right" level of security, PKI allows certificates with different security levels.
'Rudimentary' or 'Basic' levels might be choosen if security
requirements are not very high. For example in a
'rudimentary' security level your certificates and keys
might be generated centrally and then delivered to you by
email or on a floppy disk. Higher level assurance levels
most likely will require hardware cryptography modules for
all components within a PKI, including CA, RA and all end-entities.
Asymmetric encryption was invented independently by academic
cryptographers at Stanford University in the USA and by
cryptographers at Britain's GCHQ. It is the basis of public
infrastructure (see PKI),
although a 'public' key is not strictly necessary.
Information is encrypted by using one key of a pair and can
be de-crypted using the other key. In public key encryption,
allows anyone to communicate securely with an entity using
his/her/its public key as the entity can de-crypt the
using their (secret) private key.
The Athens Access Management System (AMS) controls access to
based subscription services.
Project partner in the
to Athens' role in this project).
Service provider to higher education and healthorganisations
for access to many web-based (and some non-web based)
information services, searchable databases etc. Users
Athens username and password and can then access themultiple
for 'devolved authentication' back to the user's home
"Athens is, fundamentally, a central repository of
organisations, usernames and passwords with associated
Athens Devolved Authentication
Service (at EduServ)
||An Access Management System for controlling access to
web-based subscription services. Athens has developed the
technology to accept X.509
means of authentication
but AthensDA will usually be
configured to return the user to their home institution and
then for the institution to pass them back to Athens with an
authentication token (plus a component called a 'permission
set' which is concerned with
for more information.
||The act of verifying that an electronic
login name etc.) is being employed by the entity, person or
process to whom it was issued.
Strictly it should mean "establishing the validity of
something, such as an identity". This procedure can be
See also Identification.
for more background on identification and
(Usually spelled as Authorisation in UK English)
||Associating rights or capabilities with a subject.
Usually, authorisation follows
the entity is identified, and/or authenticated, the
check what the entity is allowed to do or see.
|Basic Level Assurance
||See Assurance Levels.
algorithm invented by Bruce Schneier.
Symmetric key algorithm. Uses variable length key up to 448
bits. Algorithm is unpatented and in public domain.
Click here for more information. See also Twofish.
||An agency or organisation that is able to publish and give out
digital certificates (but can it be trusted?)
"An authority trusted by one or more
users to create and assign public key certificates.
Optionally the CA may create the user's keys. It is
important to note that the CA is responsible for the public
key certificates during their whole lifetime (what includes
renewal, revocation, etc.), not just for
See also the following Open Source implementations: OpenCA and pyCA.
CRL Distribution Point
Field (extension) on X.509
certificates that (in theory) tells programs
reading the certificates where to get the certificate
revocation list (CRL).
||CESG Looks after and advises on security issues for the UK
Government. The body is the the Information Assurance arm of
GCHQ (Government Communications Headquarters - the primary
intelligence gathering body in the UK).
See Public Key Certificate
Certificate Management Protocol
CMP is a management protocol used for communication between
RFC2510 by the
protocols are required to support on-line interactions
between Public Key
For example, a management protocol might be used between a
Certificate Authority (CA) and a
client system with which a key pair is associated, or
CAs that issue
for each other.
||A set of rules that indicate the applicability of the
certificate to a particular community and/or class of
applications with common security requirements (at a higher
level than the detailed CPS).
"A named set of rules that indicates
the applicability of a public key certificate to a
particular community or class of application with common
security requirements. For example, a particular certificate
policy might indicate applicability of a type of public key
certificate to the authentication of electronic data
interchange transactions for the trading of goods within a
given price range".
Certification Practices Statement
Plan for use that conforms to X.509 Certificate Policy. Describes the practices employed in issuing and
managing certificates (including the legal framework).
"A statement of the practices which a
CA employs in issuing
public key certificates".
Central Registration Authority
Many Registration Authorities RAs exist in the DCOCE
project architecture, but there is one central point to which requests are made, before they are passed on to the Certification
Authority (CA). This central point is under the control of the cRA - where logs and audits are kept/actioned and
from where the devolution to the actual (local to the user) RAs takes place. The server(s) or holding point for certificate requests (and their signed
returns) is therefore referred-to as the cRA system (which also includes other functionality).
||Cracking can mean to break into a computer system, to run an
attack on a password database or remove copy protection from
Certificate Revocation List
||A list containing every certificate that has been revoked by
the Certification Authority (CA) that has not been expired
other reasons. (Ideally, a CA issues a CRL at regular
intervals. Besides listing certificates that have been
the CRL states how long it will be valid and where to get
CRL.) It is likely that this technology is practically
CRLs can become very large, so development is continuinginto
real-time certificate validation (e.g. XML Key Management
and the Security Assertions Markup Language - SAML). Seealso
||Cryptography is a collection of mathematical techniques for
protecting information. Information is made unintelligableby
the use of a key and is
by the use ofthe same, or another, key.
See also Encryption.
for more background on cryptography and