Terms

See: Tutorial under "Trusted Computer System Evaluation Criteria".

"A [digital] certificate for one CA issued by another CA." [X509]

A security policy domain that "consists of a CA and its subjects [i.e., the entities named in the certificates issued by the CA]. Sometimes referred to as a PKI domain." [PAG] (See: domain.)

A cipher that is defined for an alphabet of N characters, A(1), A(2), ..., A(N), and creates cipher text by replacing each plaintext character A(i) by A(i+K, mod N) for some 0<K<N+1. [Schn]

Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the framework.

An authentication technique for terminals that remotely access a computer via telephone lines; the host system disconnects the caller and then reconnects on a telephone number that was previously authorized for that terminal.

Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.

Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log.

The means to accomplish a mission, function, or objective.

A mechanism that implements access control for a system entity by enumerating the system resources that the entity is permitted to access and, either implicitly or explicitly, the access modes granted for each resource. (Compare:

Method for judging the maturity of software processes in an organization and for identifying crucial practices needed to increase process maturity. [Chris] (Compare: Common Criteria.)

A token (usually an unforgeable data object) that gives the bearer or holder the right to access a system resource. Possession of the token is accepted by a system as proof that the holder has been authorized to access the resource indicated by the token. (See: attribute certificate, capability list, credential, digital certificate, ticket, token.)

An entity to whom or to which a card has been issued.

A digital certificate that is issued to a cardholder upon approval of the cardholder's issuing financial institution and that is transmitted to merchants with purchase requests and encrypted payment instructions, carrying assurance that the account number has been validated by the issuing financial institution and cannot be altered by a third party. [SET1]

A CA responsible for issuing digital certificates to cardholders and operated on behalf of a payment card brand, an issuer, or another party according to brand rules. A CCA maintains relationships with card issuers to allow for the verification of cardholder accounts. A CCA does not issue a CRL but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]

A grouping of sensitive information items to which a non hierarchical restrictive security label is applied to increase protection of the data. (See: formal access approval. Compare: compartment, classification.)

the fabrication of a false online identity by a cybercriminal for the purposes of deception, fraud, or exploitation

A document that attests to the truth of something or the ownership of something.

An open source software module that is designed to be integrated with an application for routing, replying to, and otherwise managing and meditating certificate validation requests between that application and the CAs in the ACES PKI.

Synonym for "certification authority".

Synonym for "certification path". (See: trust chain.)

Synonym for "certificate validation" or "path validation".

The act or process by which a CA sets the values of a digital certificate's data fields and signs it. (See: issue.)

The event that occurs when a certificate ceases to be valid because its assigned lifetime has been exceeded. (See: certificate revocation, expire.)

See: extension.

Synonym for the "subject" of a digital certificate. (Compare: certificate owner, certificate user.)

The functions that a CA may perform during the lifecycle of a digital certificate, including the following: Acquire and verify data items to bind into the certificate. Encode and sign the certificate. Store the certificate in a directory or repository. Renew, rekey, and update the certificate. Revoke the certificate and issue a CRL. (See: archive management, certificate management, key management, security architecture, token management.)

Used to mean either a CA or an RA. [DoD7, SP32]

Synonym for the "subject" of a digital certificate. (Compare: certificate holder, certificate user.)

Synonym for "certification path".

"A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." [X509] (Compare: CPS, security policy.)

Information that pertains to a certificate policy and is included in a "certificatePolicies" extension in a v3 X.509 public key certificate.

A specification (e.g., [DoD7, R3280]) of the format and semantics of public key certificates or attribute certificates, constructed for use in a specific application context by selecting from among options offered by a broader standard. (Compare: protection profile.)

The act or process by which a digital certificate, that a CA has designated for revocation but not yet listed on a CRL, is returned to the valid state.

The act or process by which an existing public key certificate has its key value changed by issuing a new certificate with a different (usually new) public key. (See: certificate renewal, certificate update, rekey.)

The act or process by which the validity of the binding asserted by an existing public key certificate is extended in time by issuing a new certificate. (See: certificate rekey, certificate update.)

Synonym for "certification request".

The event that occurs when a CA declares that a previously valid digital certificate issued by that CA has become invalid; usually stated with an effective date.

A data structure that enumerates digital certificates that have been invalidated by their issuer prior to when they were scheduled to expire. (See: certificate expiration, delta CRL, X.509 certificate revocation list.)

A mechanism for distributing notices of certificate revocations; uses a tree of hash results that is signed by the tree's issuer. Offers an alternative to issuing a CRL, but is not supported in X.509. (See: certificate status responder.)

An integer value that (a) is associated with, and may be carried in, a digital certificate; (b) is assigned to the certificate by the certificate's issuer; and (c) is unique among all the certificates produced by that issuer.

"A trusted entity that provides on line verification to a Relying Party of a subject certificate's trustworthiness [should instead say 'validity'], and may also provide additional attribute information for the subject certificate." [DoD7]

A trusted online server that acts for a CA to provide authenticated certificate status information to certificate users [FPKI]. Offers an alternative to issuing a CR. (See: certificate revocation tree, OCSP.)

The act or process by which non key data items bound in an existing public key certificate, especially authorizations granted

A system entity that depends on the validity of information (such as another entity's public key value) provided by a digital certificate. (See: relying party. Compare: /digital certificate/ subject.)

An act or process by which a certificate user establishes that the assertions made by a digital certificate can be trusted. (See: valid certificate, validate vs. verify.)

Comprehensive evaluation (usually made in support of an accreditation action) of an information system's technical security features and other safeguards to establish the extent to which the system's design and implementation meet a set of specified security requirements. [C4009, FP102, SP37] (See: accreditation. Compare: evaluation.)

An entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.

A computer system that enables a CA to issue digital certificates and supports other certificate management functions as required.

A tree structured (loop free) topology of relationships between CAs and the entities to whom the CAs issue public key certificates. (See: hierarchical PKI, hierarchy management.)