SLCS Glossary

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

For a full glossary of AAI, see also the AAI Glossary


AAA
Authentication, Authorization and Accounting
AAI
Authentication and Authorization Infrastructure
Authentication
Process of identifying of a previously registered user.
Authorization
Process of granting or denying access to a resource for an authenticated user.
(Authorization) Attributes
User data (such as name, affiliation, study branch, etc.) needed for access control decisions. The attributes used by SWITCHaai are defined in the Authorization Attribute Specification.
Attribute Authority (AA, deprecated)
The AA is a component of the Identity Provider. It issues attributes on behalf of an organization.
A component of the Identity Provider. It retrieves attributes from various data sources (LDAP, Active Directory, ...) and performs the necessary transformations for SAML transport.
Certificate Authority (CA)
An internal entity or trusted third party that issues, signs, revokes and manages digital certificates.
Certificate
Information issued by a trusted party. Often in a directory with public access. Used to identify an individual or a system. Contains at least a subject, a unique serial number and a validity period.
Certificate Extension
Optional fields in a certificate.
CMC
Specification for certificate management messages using CMS (Cryptographic message syntax). It is described in RFC 2797 ( RCF 2797 )
Certificate Policy / Certification Practise Statement (CP/CPS)
See CP and CPS
Certificate Policy (CP)
Rules that a request must comply with for the RA to approve the request or a CA to issue a certificate.
Certificate Practise Statement (CPS)
Document that regulates rights and responsibilities of all the parties involved (RA, CA, End Entity, Relying Party) within a PKI infrastructure.
Certificate Revocation List (CRL)
List of certificates that have been declared invalid. This list is issued by the CA at a regular interval and is used by applications to verify if a certificate is to be trusted.
Credentials
Evidence asserting the user's right to access certain systems (e.g. username, password, etc).
Certificate Signing Request (CSR)
Certificate Signing Request: Document or digital information requesting the issuance of a certificate to an End Entity.
Distinguished Name (DN)
See Subject
End Entity (EE)
System (individual, host, service) that receives a certificate expressing its identity.
EuGridPMA
International organization to coordinate the trust fabric for e-Science grid authentication in Europe. See EuGridPMA website for details.
Federated Identity Management
The management and use of identity information across security domains, e.g. between individual universities. It deals with issues such as interoperability, liability, security, privacy and trust.
Federation
A federation is a collection of organizations that agree to interoperate under a certain ruleset. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information.
Federation Member
A Federation Member is an organization (such as a university, library, etc.) that runs one Identity Provider and any number of AAI-enabled Resources. Federation Members have to agree on a common set of policies and rules defined in the AAI Service Agreement in order to allow for a smooth and proper functioning of the AAI.
Home Organization, Home Org
A participating organization representing a user community, e.g. a university, library, university hospital etc. A Home Organization registers users and stores information about them. Furthermore, it is able to authenticate its users.
Hardware Security Module (HSM)
Hardware-based security device that generates stores and protects cryptographic keys.
Identity Provider (IdP)
An Identity Provider is a Shibboleth server that authenticates users and conveys their attributes to requesting resources. In other terms it provides the digital identities of its users to other servers in the AAI.
International Grid Trust Federation (IGTF)
Body with the goal to harmonize and synchronize PMAs policies to establish and maintain global trust relationships in e-Science. See IGTF website for details.
International Telecommunication Union (ITU)
International organization established to standardize and regulate international radio and telecommunication.
ITU-T
International Telecommunication Standardization Sector.
Key
The secret used as input for cryptographic algorithms during the transformation of a message.
Key Password
Password used to encrypt the private key.
Key Size
Length of private and public key. Regular sizes are 512, 768, 1024, 2048 und 4096 with 1024 the most common key size.
Key Usage
Purpose for which the key is intended to be used. This information is stored in the certificate itself to allow application to verify that the key presented is also intended for this usage.
Member Integrated Credential Service (MICS)
An IGTF profile for issuing (long-lived) X.509 certificates to End Entities based on an identity management system operated by an institution.
OASIS
A not-for-profit global consortium involved in the development, convergence and adoption of e-business standards. See OASIS website for details.
Online Certificate Status Protocol (OCSP)
Method to verify in real-time if a certificate is valid.
Policy Management Authority (PMA)
Body responsible for defining minimum standards for the CP/CPSs of a PKI infrastructures and accrediting against those standards.
Public Key Infrastructure (PKI)
Processes and technologies used to issue and manage digital certificates, enabling third parties to authenticate individual users, services and hosts.
Private Key
One of two keys used in public key cryptography. The private key is known only to the owner and is used to sign and decrypt messages. This key is used to "sign" outgoing messages, and is used to decrypt incoming messages.
Profile
End users can optionally create a Profile, which functions as a "container" for the end user certificates. The profile contains information, which helps the RA identify the end user in case of forgotten passwords or other service requests. A profile is an alternate method to authenticate end users, when through the profile, end users access and manage their digital identities and their requests. The profile is stored inside the CA infrastructure in encrypted form and can only be accessed by the owner and viewed by the appropriate RAO.
Public Key
One of two keys used in public key cryptography. The public key can be known to anyone and is used to verify signatures and encrypt messages. The public key of a public-private key cryptography system. This key is used to confirm "signatures" on incoming messages or to encrypt a file or message so that only the holder of the private key can decrypt the file or message.
Registration Authority (RA)
An entity which asserts the identity of a certificate requester to the issuing Certificate Authority.
Resource
Web application, web site, information system, etc. An AAI-enabled Resource requests attributes about users from an Identity Provider and makes access decisions based on these attributes.
Revocation
Invalidation of a certificate. Every CA regularly issues a list of revoked certificates called CRL. This list should be verified by all applications that use certificates from that CA before trusting a certificate.
Rollover
SAML
SAML - the Security Assertion Markup Language - is an XML framework for exchanging authentication and authorization information. SAML is a standard of OASIS. The software Shibboleth - and thus SWITCHaai - is based on SAML.
Service Provider (SP)
A Shibboleth term. Synonym for an AAI-enabled Resource, although used in a more technical sense.
Shibboleth
The name of an architecture and an open source software developed by Internet2/MACE (Middleware Architecture Committee for Education). Shibboleth is based on SAML and allows the implementation of an AAI. SWITCHaai makes use of Shibboleth.
Short-lived X.509 Certificate
An X.509 certificate with a life time of less than 1 million seconds (approx. 11 days)
Short-lived X.509 Credential Service (SLCS)
A service returning a short-lived X.509 certificate to a requester after successful authentication.
SWITCHaai Federation
The Shibboleth-based production federation in Swiss higher education and research, coordinated and led by SWITCH.
Single Sign-On (SSO)
Single Sign-On enables the user to gain access to multiple Resources by authenticating only once.
User
Registered member of a Home Organization
User Interface (UI) [in grid terminology]
Host, from which a grid user accesses grid resources. Note that this does not imply access through a graphical user interface.
X.509 Certificate
ITU-T standard for public key infrastructures. It defines among other things standard formats for certificates. See