access control entry (ACE).  An access rule that specifies either (1) how subjects requesting access are to be identified or (2) what rights are allowed or denied for a particular subject or subjects. See access control list (ACL).

access control list (ACL).  A collection of access control entries that define a hierarchy of access rules to be evaluated when a server receives a request for access to a particular resource. See access control entry (ACE).

administrator.  The person who installs and configures one or more CMS managers and sets up privileged users, or agents, for them. See also agent.

agent.  A user who belongs to a group authorized to manage agent services for a CMS manager. See also Certificate Manager agent, Registration Manager agent, Data Recovery Manager agent.

agent services.  1. Services that can be administered by a CMS agent via HTML pages served by the CMS manager for which the agent has been assigned the necessary privileges. 2. The HTML pages for administering such services.

attribute value assertion (AVA).  An assertion of the form attribute = value, where attribute consists of a tag, such as o (organization) or uid (user ID), and value consists of a value, such as "Netscape Communications Corp." or a login name. AVAs are used to form the distinguished name (DN) that identifies the subject of a certificate (called the subject name of the certificate).

authentication.  Confident identification; that is, assurance that a party to some computerized transaction is not an impostor. Authentication typically involves the use of a password, certificate, PIN, or other information that can be used to validate identity over a computer network. See also password-based authentication, certificate-based authentication, client authentication, server authentication.

authentication module.  A set of rules (implemented as a Java class) for authenticating an end entity, agent, administrator, or any other entity that needs to interact with a CMS manager. In the case of typical end-user enrollment, after the user has supplied the information requested by the enrollment form, the enrollment servlet uses an authentication module associated with that form to validate the information and authenticate the user's identity. See servlet.

authorization.  Permission to access a resource controlled by a server. Authorization typically takes place after the ACLs associated with a resource have been evaluated by a server. See access control list (ACL).

automatic authentication.  A way of configuring a CMS manager that allows automatic authentication for the purposes of end-entity enrollment, without human intervention. With this form of authentication, a certificate request that completes authentication module processing successfully is automatically approved for policy processing and certificate issuance.

bind DN.  A user ID, in the form of a distinguished name (DN), used with a password to authenticate to Netscape Directory Server.

CA certificate.  A certificate that identifies a certificate authority. See also certificate authority (CA), subordinate CA, root CA.

CA hierarchy.  A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs. Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs. See also certificate authority (CA), subordinate CA, root CA.

CA server key.  The SSL server key of the server providing a CA service.

CA signing key.  The private key that corresponds to the public key in the CA certificate. A CA uses its signing key to sign certificates and CRLs.

certificate.  Digital data, formatted according to the X.509 standard, that specifies the name of an individual, company, or other entity (the subject name of the certificate) and certifies that a public key, which is also included in the certificate, belongs to that entity. A certificate is issued and digitally signed by a certificate authority (CA). A certificate's validity can be verified by checking the CA's digital signature using the techniques of public-key cryptography. To be trusted within a public-key infrastructure (PKI), a certificate must be issued and signed by a CA that is trusted by other entities enrolled in the PKI.

certificate authority (CA).  A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify. A CA also renews and revokes certificates and generates CRLs. The entity named in the issuer field of a certificate is always a CA. Certificate authorities can be independent third parties (such as the CAs listed at https://certs.netscape.com/client.html) or a person or organization using certificate-issuing server software (such as Netscape Certificate Management System). Certificate Management System makes it possible to divide the role of a CA among one or more Registration Managers, which handle most or all interactions with certificate owners, and a Certificate Manager, which issues certificates.

certificate-based authentication.  Authentication based on certificates and public-key cryptography. See also password-based authentication.

certificate chain.  A hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a certificate authority (CA) and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA, and so on up to a root CA. Certificate Management System allows any end entity to retrieve all the certificates in a certificate chain.

Certificate Enrollment Protocol (CEP).  A certificate management protocol jointly developed by Cisco Systems and VeriSign, Inc. CEP is an early implementation of Certificate Management Messages over Cryptographic Message Syntax (CMC). CEP specifies how a device communicates with a CA, including how to retrieve the CA's public key, how to enroll a device with the CA, and how to retrieve a CRL. CEP uses PKCS #7 and PKCS #10. For more information about CEP, see http://www.cisco.com/warp/public/778/security/821_pp.htm.

certificate extensions.  An X.509 v3 certificate contains an extensions field that permits any number of additional fields to be added to the certificate. Certificate extensions provide a way of adding information such as alternative subject names and usage restrictions to certificates. A number of standard extensions have been defined by the PKIX working group. Older versions of Netscape browsers and servers support Netscape-specific extensions that were required (mainly to indicate certificate usage) before standard extensions were defined.

certificate fingerprint.  A one-way hash associated with a certificate. The number is not part of the certificate itself, but is produced by applying a hash function to the contents of the certificate. If the contents of the certificate changes, even by a single character, the same function produces a different number. Certificate fingerprints can therefore be used to verify that certificates have not been tampered with.

Certificate Management Messages over Cryptographic Message Syntax (CMC).  Message format used to convey a request for a certificate to a Registration Manager or Certificate Manager. A proposed standard from the Internet Engineering Task Force (IETF) PKIX working group. For detailed information, see http://www.ietf.org/internet-drafts/draft-ietf-pkix-cmc-02.txt.

Certificate Management Message Formats (CMMF).  Message formats used to convey certificate requests and revocation requests from end entities to a Registration Manager or Certificate Manager and to send a variety of information to end entities. A proposed standard from the Internet Engineering Task Force (IETF) PKIX working group. CMMF is subsumed by another proposed standard, Certificate Management Messages over Cryptographic Message Syntax (CMC). For detailed information, see http://www.ietf.org/internet-drafts/draft-ietf-pkix-cmmf-02.txt.

Certificate Manager.  An independent CMS subsystem capable of acting as a stand-alone certificate authority. A Certificate Manager instance issues, renews, and revokes certificates, which it can publish along with CRLs to an LDAP directory. It can be configured to accept requests from end entities, Registration Managers, or both. When set up to work with a separate Registration Manager, the Certificate Manager processes requests and returns the signed certificates to the Registration Manager. See certificate authority (CA).

Certificate Manager agent.  A user who belongs to a group authorized to manage agent services for a Certificate Manager. These services include the ability to access and modify (approve and reject) certificate requests and issue certificates.

Certificate Request Message Format (CRMF).  Format used for messages related to life-cycle management of X.509 certificates. This format is a subset of CMMF. See also Certificate Management Message Formats (CMMF). For detailed information, see ftp://ftp.isi.edu/in-notes/rfc2511.txt.

certificate revocation list (CRL).  As defined by the X.509 standard, a list of revoked certificates by serial number, generated and signed by a certificate authority (CA).

chain of trust.  See certificate chain.

chained CA.  See linked CA.

cipher.  See cryptographic algorithm.

client authentication.  The process of identifying a client to a server, for example, with a name and password or with a certificate and some digitally signed data. See certificate-based authentication, password-based authentication, server authentication.

client SSL certificate.  A certificate used to identify a client to a server using the SSL protocol. See Secure Sockets Layer (SSL).

CMC.  See Certificate Management Messages over Cryptographic Message Syntax (CMC).

CMMF.  See Certificate Management Message Formats (CMMF).

CMS.  See Netscape Certificate Management System (CMS), Cryptographic Message Syntax (CMS).

CMS instance.  An instance of a CMS subsystem, comprising both code and data and treated as a discrete entity.

CMS subsystem.  One of the three CMS Managers: Certificate Manager, Registration Manager, or Data Recovery Manager.

CMS window.  A window that can be opened for any single CMS instance from within Netscape Console. A CMS window allows the CMS administrator to control configuration settings for the corresponding CMS instance.

configuration directory.  A Directory Server instance that contains the configuration entries used by Netscape Console to track the servers in a server group.

CRL.  See certificate revocation list (CRL).

CRMF.  See Certificate Request Message Format (CRMF).

cross-certification.  The exchange of certificates by two CAs in different certification hierarchies, or chains. Cross-certification extends the chain of trust so that it encompasses both hierarchies. See also certificate authority (CA).

cryptographic algorithm.  A set of rules or directions used to perform cryptographic operations such as encryption and decryption.

Cryptographic Message Syntax (CMS).  The syntax used to digitally sign, digest, authenticate, or encrypt arbitrary messages, such as CMMF.

cryptographic module.  See PKCS #11 module.

cryptographic service provider (CSP) .  A cryptographic module that performs cryptographic services, such as key generation, key storage, and encryption, on behalf of software that uses a standard interface such as that defined by PKCS #11 to request such services.

CSP.  See cryptographic service provider (CSP).

Data Recovery Manager.  An optional, independent CMS subsystem that manages the long-term archival and recovery of RSA encryption keys for end entities. A Certificate Manager or Registration Manager can be configured to archive end entities' encryption keys with a Data Recovery Manager before issuing new certificates. The Data Recovery Manager is useful only if end entities are encrypting data (such as sensitive email) that the organization may need to recover someday. It can be used only with end entities that support dual key pairs--that is, two separate key pairs, one for encryption and one for digital signatures.

Data Recovery Manager agent.  A user who belongs to a group authorized to manage agent services for a Data Recovery Manager, including managing the request queue and authorizing recovery operation using HTML-based administration pages.

Data Recovery Manager recovery agent.  One of the m of n people who own portions of the storage key for the Data Recovery Manager.

Data Recovery Manager storage key.  Special key used by the Data Recovery Manager to encrypt the end entity's encryption key (after it has been decrypted with the Data Recovery Manager's private transport key). The storage key never leaves the Data Recovery Manager.

Data Recovery Manager transport certificate.  Certifies the public key used by an end entity to encrypt the entity's encryption key for transport to the Data Recovery Manager. The Data Recovery Manager uses the private key corresponding to the certified public key to decrypt the end entity's key before encrypting it with the Data Recovery Manager storage key. The Data Recovery Manager also uses the same private key to sign the proof of archival token it sends to the Registration Manager after storing an end entity's encryption key.

decryption.  The unscrambling of data that has been encrypted. See encryption.

Data Encryption Standard (DES).  A FIPS-approved cryptographic algorithm required by FIPS 140-1 and specified by FIPS PUBS 46-2. DES, which uses 56-bit keys, is a standard encryption and decryption algorithm that has been used successfully throughout the world for more than 20 years. See also FIPS PUBS 140-1. For detailed information, see http://www.itl.nist.gov/div897/pubs/fip46-2.htm.

digital ID.  See certificate.

digital signature.  To create a digital signature, the signing software first creates a one-way hash from the data to be signed (such as a newly issued certificate). The one-way hash is then encrypted with the private key of the signer. The resulting digital signature is unique for each piece of data signed. Even a single comma added to a message changes the digital signature for that message. Successful decryption of the digital signature with the signer's public key and comparison with another hash of the same data provides tamper detection. Verification of the certificate chain for the certificate containing the public key provides authentication of the signer. See also nonrepudiation, encryption.

Digital Signature Algorithm (DSA).  A FIPS-approved cryptographic algorithm specified by the Digital Signature Standard (DSS), FIPS PUBS 186. DSA is a standard algorithm used to create digital signatures. For detailed information, see http://www.itl.nist.gov/div897/pubs/fip186.htm.

distinguished name (DN).  A series of AVAs that identify the subject of a certificate. See attribute value assertion (AVA).

DSA.  See Digital Signature Algorithm (DSA).

dual key pair.  Two public-private key pairs--four keys altogether--corresponding to two separate certificates. The private key of one pair is used for signing operations, and the public and private keys of the other pair are used for encryption and decryption operations. Each pair corresponds to a separate certificate. See also encryption key, public-key cryptography, signing key.

eavesdropping.  Surreptitious interception of information sent over a network by an entity for which the information is not intended.

encryption.  The process of scrambling information in a way that disguises its meaning. See decryption.

encryption key.  A private key used for encryption only. An encryption key and its equivalent public key, plus a signing key and its equivalent public key, constitute a dual key pair.

enrollment.  The process of requesting and receiving an X.509 certificate for use in a public-key infrastructure (PKI). Also known as registration.

end entity.  In a public-key infrastructure (PKI), a person, router, server, or other entity that uses a certificate to identify itself.

extensions field.  See certificate extensions.

fingerprint.  See certificate fingerprint.

FIPS PUBS 140-1.  Federal Information Standards Publications (FIPS PUBS) 140-1 is a US government standard for implementations of cryptographic modules--that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures). Many products sold to the US government must comply with one or more of the FIPS standards. For detailed information, see http://www.itl.nist.gov/div897/pubs/fip140-1.htm.

firewall.  A system or combination of systems that enforces a boundary between two or more networks.

impersonation.  The act of posing as the intended recipient of information sent over a network. Impersonation can take two forms: spoofing and misrepresentation.

intermediate CA.  A CA whose certificate is located between the root CA and the issued certificate in a certificate chain.

IP spoofing.  The forgery of client IP addresses.

JAR file.  A digital envelope for a compressed collection of files organized according to the Java archive (JAR) format.

Java archive (JAR) format.  A set of conventions for associating digital signatures, installer scripts, and other information with files in a directory.

Java Cryptography Architecture (JCA).  The API specification and reference developed by Sun Microsystems for cryptographic services. For detailed information, see http://java.sun.com/products/jdk/1.2/docs/guide/security/CryptoSpec.html#Introduction

Java Development Kit (JDK).  Software development kit provided by Sun Microsystems for developing applications and applets using the Java programming language.

Java Native Interface (JNI).  A standard programming interface that provides binary compatibility across different implementations of the Java Virtual Machine (JVM) on a given platform, allowing existing code written in a language such as C or C++ for a single platform to bind to Java. For detailed information, see http://java.sun.com/products/jdk/1.2/docs/guide/jni/index.html.

Java Security Services (JSS).  A Java interface for controlling security operations performed by Netscape Security Services (NSS).

KEA.  See Key Exchange Algorithm (KEA).

key.  A large number used by a cryptographic algorithm to encrypt or decrypt data. A person's public key, for example, allows other people to encrypt messages intended for that person. The messages must then be decrypted by using the corresponding private key.

key exchange.  A procedure followed by a client and server to determine the symmetric keys they will both use during an SSL session.

Key Exchange Algorithm (KEA).  An algorithm used for key exchange by the US Government.

Lightweight Directory Access Protocol (LDAP).  A directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories. LDAP is under IETF change control and has evolved to meet Internet requirements.

linked CA.  An internally deployed certificate authority (CA) whose certificate is signed by a public, third-party CA. The internal CA acts as the root CA for certificates it issues, and the third-party CA acts as the root CA for certificates issued by other CAs that are linked to the same third-party root CA. Also known as "chained CA" and by other terms used by different public CAs.

manual authentication.  A way of configuring a CMS manager that requires human approval of each certificate request. With this form of authentication, a servlet forwards a certificate request to a request queue after successful authentication module processing. An agent with appropriate privileges must then approve each request individually before policy processing and certificate issuance can proceed.

MD5.  A message digest algorithm that was developed by Ronald Rivest. See also one-way hash.

message digest.  See one-way hash.

misrepresentation.  The presentation of an entity as a person or organization that it is not. For example, a web site might pretend to be a furniture store when it is really just a site that takes credit-card payments but never sends any goods. Misrepresentation is one form of impersonation. See also spoofing.

Netscape Certificate Management System (CMS).  A highly configurable set of software components and tools for creating, deploying, and managing certificates. CMS comprises three major subsystems that can be installed in different CMS instances in different physical locations: Certificate Manager, Registration Manager, and Data Recovery Manager.

Netscape Console.  The Java application used to set up and manage Netscape servers.

Netscape Security Services (NSS).  A set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built using the NSS libraries support the Secure Sockets Layer (SSL) protocol for authentication, tamper detection, and encryption, and the PKCS #11 protocol for cryptographic token interfaces. Netscape uses NSS to support these features in a wide range of products, including Certificate Management System. NSS is also available separately as a software development kit.

nonrepudiation.  The inability by the sender of a message to deny having sent the message. A digital signature provides one form of nonrepudiation.

object signing.  A technology that allows software developers to sign Java code, JavaScript scripts, or any kind of file and allows users to identify the signers and control access by signed code to local system resources.

object-signing certificate.  A certificate whose associated private key is used to sign objects using the technology known as object signing.

one-way hash.  A number of fixed length generated from data of arbitrary length with the aid of a hashing algorithm. The number (also called a message digest) has two characteristics: (1) It is unique to the hashed data. Any change in the data, even deleting or altering a single character, results in a different value. (2) The content of the hashed data cannot, for all practical purposes, be deduced from the hash.

password-based authentication.  Confident identification by means of a name and password. See also authentication, certificate-based authentication.

PKCS #7.  The public-key cryptography standard that governs signing and encryption.

PKCS #10.  The public-key cryptography standard that governs certificate requests.

PKCS #11.  The public-key cryptography standard that governs cryptographic tokens such as smart cards.

PKCS #11 module.  A driver for a cryptographic device that provides cryptographic services, such as encryption and decryption, via the PKCS #11 interface. A PKCS #11 module (also called a cryptographic module or cryptographic service provider) can be implemented in either hardware or software. A PKCS #11 module always has one or more slots, which may be implemented as physical hardware slots in some form of physical reader (for example, for smart cards) or as conceptual slots in software. Each slot for a PKCS #11 module can in turn contain a token, which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys. Netscape provides a built-in PKCS #11 module with Certificate Management System.

PCKS #12.  The public-key cryptography standard that governs key portability.

policy module.  A rule (implemented as a Java class) that validates the contents of a certificate request for that rule and formulates the contents of the certificate to be issued.

private key.  One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data encrypted with the corresponding public key.

proof-of-Archival (POA).  Data signed with the private Data Recovery Manager transport key that contains information about an archived end-entity key, including key serial number, name of the Data Recovery Manager, subject name of the corresponding certificate, and date of archival. The signed proof-of-archival data is the response returned by the Data Recovery Manager to the Registration Manager or Certificate Manager after a successful key archival operation. See also Data Recovery Manager transport certificate.

public key.  One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a certificate. It is typically used to encrypt data sent to the public key's owner, who then decrypts the data with the corresponding private key.

public-key cryptography.  A set of well-established techniques and standards that allow an entity to verify its identity electronically or to sign and encrypt electronic data. Two keys are involved: a public key and a private key. A public key is published as part of a certificate, which associates that key with a particular identity. The corresponding private key is kept secret. Data encrypted with the public key can be decrypted only with the private key.

public-key infrastructure (PKI).  The standards and services that facilitate the use of public-key cryptography and X.509 v3 certificates in a networked environment.

RC2, RC4.  Cryptographic algorithms developed for RSA Data Security by Rivest. See also cryptographic algorithm.

registration.  See enrollment.

Registration Manager.  An optional, independent CMS subsystem that performs tasks involving end entities, such as enrollment or renewal, on behalf of a Certificate Manager. The Registration Manager can be configured to process requests and approve them either manually (that is, with the aid of a human being) or automatically (based entirely on customizable policies and procedures). After the Registration Manager approves requests, it typically forwards them to the Certificate Manager, which processes them and returns the issued certificates to the Registration Manager. The Registration Manager then distributes the certificates to the end entities and (typically) publishes them to the appropriate directory.

Registration Manager agent.  A user who belongs to a group authorized to manage agent services for a Registration Manager, including the ability to access and modify (approve and reject) certificate requests.

root CA.  The certificate authority (CA) with a self-signed certificate at the top of a certificate chain. See also CA certificate, subordinate CA.

RSA algorithm.  Short for Rivest-Shamir-Adleman, a public-key algorithm for both encryption and authentication. It was developed by Ronald Rivest, Adi Shamir, and Leonard Adleman and introduced in 1978.

RSA key exchange.  A key-exchange algorithm for SSL based on the RSA algorithm.

sandbox.  A Java term for the carefully defined limits within which Java code must operate.

Secure Sockets Layer (SSL).  A protocol that allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols.

server authentication.  The process of identifying a server to a client. See also client authentication.

server group.  The servers in a server root directory managed by a single instance of Netscape Administration Server.

server root.  The directory used to store CMS and other Netscape Server binaries that make up a server group.

server SSL certificate.  A certificate used to identify a server to a client using the Secure Sockets Layer (SSL) protocol.

servlet .  Java code that handles a particular kind of interaction with end entities on behalf of a CMS manager. For example, certificate enrollment, renewal, revocation, and key recovery requests are each handled by separate servlets.

SHA-1.  Secure Hash Algorithm, a hash function used by the US Government.

signature algorithm.  A cryptographic algorithm used to create digital signatures. Certificate Management System supports the MD5 and SHA-1 signing algorithms. See also cryptographic algorithm, digital signature.

signing certificate.  A certificate whose public key corresponds to a private key used to create digital signatures. For example, Certificate Manager must have a signing certificate whose public key corresponds to the private key it uses to sign the certificates it issues. A Registration Manager must have a signing certificate whose public key corresponds to the private key it uses to sign the certificate requests it sends to the Certificate Manager.

signing key.  A private key used for signing only. A signing key and its equivalent public key, plus an encryption key and its equivalent public key, constitute a dual key pair.

single sign-on.  1. In CMS, a password that simplifies the way you sign on to Certificate Management System by storing the passwords for the internal database and tokens. Each time you log on, you're required to enter just this single password. 2. The ability for a user to log in once to a single computer and be authenticated automatically by a variety of servers within a network. Partial single sign-on solutions can take many forms, including mechanisms for automatically tracking passwords used with different servers. Certificates support single sign-on within a public-key infrastructure (PKI). A user can log in once to a local client's private-key database and thereafter, as long as the client software is running, rely on certificate-based authentication to access each server within an organization that the user is allowed to access.

slot.  The portion of a PKCS #11 module (implemented in either hardware or software) that contains a token.

smart card.  A small device, typically about the size of a credit card, that contains a microprocessor and is capable of storing cryptographic information (such as keys and certificates) and performing cryptographic operations. Smart cards implement some or all of the PKCS #11 interface.

spoofing.  The act of pretending to be someone else. For example, a person can pretend to have the email address jdoe@netscape.com, or a computer can identify itself as a site called www.netscape.com when it is not. Spoofing is one form of impersonation. See also misrepresentation, impersonation.

SSL.  See Secure Sockets Layer (SSL).

subject.  The entity identified by a certificate. In particular, the subject field of a certificate contains a subject name that uniquely describes the certified entity.

subject name.  A distinguished name (DN) that uniquely describes the subject of a certificate.

subordinate CA.  A certificate authority whose certificate is signed by another subordinate CA or by the root CA. See CA certificate, root CA.

symmetric encryption.  An encryption method that uses the same cryptographic key to encrypt and decrypt a given message.

tamper detection.  A mechanism ensuring that data received in electronic form has not been tampered with; that is, that the data received entirely corresponds with the original version of the same data.

token.  A hardware or software device that is associated with a slot in a PKCS #11 module. It provides cryptographic services and optionally stores certificates and keys.

tree hierarchy.  The hierarchical structure of an LDAP directory.

trust.  Confident reliance on a person or other entity. In a public-key infrastructure (PKI), trust refers to the relationship between the user of a certificate and the certificate authority (CA) that issued the certificate. If you trust a CA, you can generally trust valid certificates issued by that CA.

virtual private network (VPN).  A way of connecting geographically distant divisions of an enterprise. The VPN allows the divisions to communicate over an encrypted channel, allowing authenticated, confidential transactions that would normally be restricted to a private network.