Glossary

authentication. Confident identification; that is, assurance that a party to some computerized transaction is not an impostor. Authentication typically involves the use of a password, certificate, personal identification number (PIN), or other information that can be used to validate identity over a computer network. See also password-based authentication, certificate-based authentication, client authentication, server authentication.

CA. See certificate authority (CA).

CA certificate. A certificate that identifies a certificate authority. See also certificate authority (CA), subordinate CA, root CA.

certificate. Digital data that specifies the name of an individual, company, or other entity and certifies that a public key, which is also included in the certificate, belongs to that entity. A certificate is issued and digitally signed by a certificate authority (CA). A certificate's validity can be verified by checking the CA's digital signature. See also public-key cryptography.

certificate authority (CA). A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify. A CA also renews and revokes certificates and generates a list of revoked certificates at regular intervals. CAs can be independent third parties (such as the CAs listed at Certificate Authority Services) or a person or organization using certificate-issuing server software (such as iPlanet Certificate Management System). See also certificate revocation list (CRL).

certificate-based authentication. Verification of identity based on certificates and public-key cryptography. See also password-based authentication.

certificate chain. A hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a certificate authority (CA) and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA and so on up to a root CA.

certificate fingerprint. A unique, fixed-length number associated with a certificate. The number is not part of the certificate itself but is produced by applying a mathematical function to the contents of the certificate. If the contents of the certificate change, even by a single character, the function produces a different number. Certificate fingerprints can therefore be used to verify that certificates have not been tampered with.

Certificate Management Messages over CMS (CMC). A general interface to public-key certification products based on Cryptographic Message Syntax (CMS) and PKCS #10, including a certificate enrollment protocol for DSA-signed certificates with Diffie-Hellman public keys. A proposed standard from the IETF PKIX working group. CMC incorporates CRMF and CMMF. Future versions of Certificate Management System will support this standard as it is finalized.

certificate revocation list (CRL). A list of revoked certificates that is generated and signed by a certificate authority (CA). You can download the latest CRL to your browser or to a server, then check against it to make sure that certificates are still valid before permitting their use for authentication.

cipher. See cryptographic algorithm.

client authentication. The process of identifying a client to a server, for example with a name and password or with a client SSL certificate and some digitally signed data. See also Secure Sockets Layer (SSL), server authentication.

client SSL certificate. A certificate that a client (for example, browser software such as Netscape Communicator) presents to a server to authenticate its identity using the Secure Sockets Layer (SSL) protocol. See also client authentication.

Cryptographic Message Syntax (CMS). A superset of PKCS #7 syntax used for digital signatures and encryption. A proposed standard from the IETF PKIX working group.

cryptographic algorithm. A set of rules or directions used to perform cryptographic operations such as encryption and decryption.

decryption. The process of unscrambling data that has been encrypted. See also encryption.

digital ID. See certificate.

digital signature. A code created from both the data to be signed and the private key of the signer. This code is unique for each new piece of data. Even a single comma added to a message changes the digital signature for that message. Successful validation of your digital signature by appropriate software not only provides evidence that you approved the transaction or message, but also provides evidence that the data has not changed since you digitally signed it. See also nonrepudiation, tamper detection.

distinguished name (DN). A specially formatted name that uniquely identifies the subject of a certificate.

dual key pair. Two public-private key pairs--four keys altogether--corresponding to two separate certificates. The private key of one pair is used for signing operations, and the public and private keys of the other pair are used for encryption and decryption operations. Each pair corresponds to a separate certificate. See also public-key cryptography.

eavesdropping. Surreptitious interception of information sent over a network by an entity for which the information is not intended.

encryption. The process of scrambling information in a way that disguises its meaning. For example, encrypted connections between computers make it very difficult for third-parties to unscramble, or decrypt, information flowing over the connection. Encrypted information can be decrypted only by someone who possesses the appropriate key. See also public-key cryptography.

encryption key. A private key used for encryption only. An encryption key and its equivalent public key, plus a signing key and its equivalent public key, constitute a dual key pair.

fingerprint. See certificate fingerprint.

impersonation. Posing as the intended recipient of information sent over a network. Impersonation can take two forms: spoofing and misrepresentation.

key. A large number used by a cryptographic algorithm to encrypt or decrypt data. A person's public key, for example, allows other people to encrypt messages to that person. The encrypted messages must be decrypted with the corresponding private key. See also public-key cryptography.

Lightweight Directory Access Protocol (LDAP). A protocol for accessing directory services.

misrepresentation. Presentation of an entity as a person or organization that it is not. For example, a web site might pretend to be a furniture store when it is really just a site that takes credit card payments but never sends any goods. Misrepresentation is one form of impersonation. See also spoofing.

iPlanet Certificate Management System. A highly configurable set of software components and tools for creating, deploying, and managing certificates. You enroll with the system to obtain certificates of all kinds; the system maintains information about the certificates it issues.

nonrepudiation. The inability by the sender of a message to deny having sent the message at a later time. A regular hand-wrtten signature provides on form of nonrepudiation. A digital signature provides another.

object signing. A technology that allows software developers to sign Java code, JavaScript scripts, or any kind of file, and allows users to identify the signers and control access by signed code to local system resources.

object-signing certificate. A certificate whose corresponding private key is used to sign objects such as code files. See also object signing.

password-based authentication. Confident identification by means of a name and password. See also authentication.

private key. One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data that has been encrypted with the corresponding public key.

public key. One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a certificate. It is typically used to encrypt data sent to the public key's owner, who then decrypts the data with the corresponding private key.

public-key cryptography. Well-established techniques and standards that allow an entity to verify its identity electronically or to sign and encrypt electronic data. Two keys are involved: a public key and a private key. The public key is published as part of a certificate, which associates that key with a particular identity. The corresponding private key is kept secret. Data encrypted with the public key can be decrypted only with the private key.

public-key infrastructure (PKI). The standards and services that facilitate the use of public-key cryptography and certificates in a networked environment.

root CA. The certificate authority (CA) with a self-signed certificate at the top of a certificate chain. See also subordinate CA.

Secure Sockets Layer (SSL). A protocol that allows mutual authentication between a client and server for the purpose of establishing an authenticated and encrypted connection. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. See also authentication, encryption.

server authentication. The process of identifying a server to a client by using a server SSL certificate. See also client authentication, Secure Sockets Layer (SSL).

server SSL certificate. A certificate that a server presents to a client to authenticate the server's identity using the Secure Sockets Layer (SSL) protocol.

signing certificate. A certificate whose corresponding private key is used to sign transmitted data, so that the receiver can verify the identity of the sender. See also digital signature.

signing key. A private key used for signing only. A signing key and its equivalent public key, together with an encryption key and its equivalent public key, constitute a dual key pair.

spoofing. Pretending to be someone else. For example, a person can pretend to have the email address jdoe@mozilla.com, or a computer can identify itself as a site called www.mozilla.com when it is not. Spoofing is one form of impersonation. See also misrepresentation.

SSL. See Secure Sockets Layer (SSL).

subject. The entity identified by a certificate. In particular, the subject field of a certificate contains a unique representation of the certified entity's name and other characteristics.

subject name. A distinguished name (DN) that uniquely describes the subject of a certificate.

subordinate CA. A certificate authority (CA) whose certificate is signed by another subordinate CA or by the root CA. See also certificate chain, root CA.

symmetric encryption. An encryption method that uses the same cryptographic key to encrypt and decrypt a given message.

tamper detection. A mechanism ensuring that data received in electronic form has not been tampered with; that is, that the data received entirely corresponds with the original version of the same data.

trust. Confident reliance on a person or other entity. In the context of public-key infrastructure (PKI), trust refers to the relationship between the user of a certificate and the certificate authority (CA) that issued the certificate. If you trust a CA, you can generally trust valid certificates issued by that CA. You typically control which CAs you trust and which you don't, and thet kinds of certificates you trust them to issue, by means of settings within your browser or server software.