"An optional entity given
responsibility for performing some of the administrative
tasks necessary in the registration of subjects, such as:
confirming the subject's identity; validating that the
subject is entitled to have the values requested in a
PKC [Public Key Certificate];
and verifying that the subject has possession of the
private key associated with the public key requested for a
||Symmetric key algorithms develeoped by Ronald Rivest of RSA
Data Security. Tried to keep algorithms secret, but they
"A user or agent (e.g., a client or
server) who relies on the data in a certificate in making
Causing a certificate to be invalid. Revocation means that
the certificate may have been valid, but is valid no longer
authentication should not go ahead. Revocation occurs, for example, when
a user has compromised his/her certificate and needs a new
one or when they
are no longer eligible to hold a certificate. See also CDP, CRL, OCSP, PKI.
Advanced Encryption Standard
||Symmetric key algorithm. Fast and compact. Can use keys
of 128, 192 or 256 bits in length.
Root Certification Authority
Certification Authority (CA)
that is directly trusted by an end-entity (EE); that is, securely acquiring the
value of a Root CA public key requires some
This term is not meant to imply that a Root CA is
the top of any hierarchy, simply that the CA in question is
trusted directly. Note that the term 'trust anchor' is
used with the same meaning as 'root CA' ".
Rivest, Shamir and Adelman
||Public Key Cryptography system. Widely used. Can be used for
encrypting information and as the basis for digital
signatures. See also asymmetric encryption.
Also RSA can be used to mean 'RSA Security Incorporated' - a
Security Assertion Markup Language
SAML is a dialect of eXtensible Markup
Language (XML). Its main purpose is to provide a method so
user can log on once for (associated but separate) Web sites
possibly other 'services'.
SAML is part of the underpinning ideas of
now part of
the OASIS standards.
Secure Environment for
Certificated Use of Resources
||Project within the ANGEL initiative that is part of the AAA
programme. Using Shibboleth.
Systems and Electronic Resources
Service at Oxford University Library Services
Main project partner to the
DCOCE project at the
University of Oxford.
to SERS' role in this project).
Secure Hash Algorithm 1
Secure Hash Algorithm was developed and published by the NIST in 1994. The algorithm creates a 160 bit message digest from a up to 2^64 bit long message.
||An open source implementation to support inter-institutional
sharing of web resources subject to access controls. Also
developing a policy framework that will allowinter-operation
within the higher education community (with 'federated'
Short lived certificates
||Alternative to having to worry about revocation mechanisms
that can be a problem for defending against denial ofservice
attacks (see SAML,
CDP). It may be more
(and safer) to get a new certificate before each major
transaction (as opposed to the recipient of the certificate
verifying it with the CA
Signed Public Key And Challenge
SPKAC (very similar to PKCS#10) defines a syntax for requests for public key certificates. A
certification request contains a Distinguished Name (DN) and a public
key, signed by the entity requestingthe certificate. The request is sent to
a CA who creates a X.509 public
key certificate (or some other form) using the information from the
SPKAC and returns it.
In the DCOCE project Microsoft Internet Explorer certificate requests will be in
the PKCS#10 format. Netscape and Mozilla based requests will be in SPKAC format.
||Virtual terminal program (like Telnet). SSH can be used with
public key cryptography for authentication as an
alternative to passwords.
Secure Sockets Layer
||Layer that exists between the raw TCP/IP protocol and the
application layer. Uses cryptography to authenticate the
server, client and keep the data passing between them secret
from anything 'listening in'. Now embedded in most
"A 'subordinate CA' is one
that is not a Root CA for the end-entity (EE) in question.
Often, a subordinate CA will not be a Root CA for any
entity but this is not mandatory".
Within the context of PKI, the
term 'subject' is used to refer to the entity named in the
field of a certificate.
uses distinguished names
(DN) to identify
subjects. A subject
field in a X.509
might look like this:
C=UK, O=eScience, OU=Authority,
"A subject is the entity (AA, CA, or
EE) named in a certificate, either a PKC or AC. Subjects
can be human users, computers (as represented by Domain
Name Service (DNS) names or Internet Protocol (IP)
addresses), or even software agents".
See also encryption.
Symmetric encryption involves encrypting
and de-crypting information using the same key. It is less
processor-intense than asymmetric encryption but requires a
key exchange at some stage. Keys have to remain secret anda
different key may be required for every entity that
communicates with you. Therefore, secure encryption using
symmetric keys alone does not scale well. Symmetric keysare
often exchanged under cover of asymmetric encryption. See