Definitions and Acronyms
5 Nines - refers to a goal of 99.999% uptime, that is, the system is accessible 99.999% of the calendar year (also 5 9's, Five Nines).
Accreditation Authority (AA) An ESI management Entity with the authority to permit a subordinate ESI Entity to operate within a particular domain. The PA is the accreditation authority for all connections to the AESI. A particular department within an Agency may be assigned the role of accreditation authority for the Level One CA within that Agency.
Activation Data The private data that are required to access cryptographic modules (password, biometric authentication, any items other than the direct cryptographic keys).
Affiliated Certificate A certificate issued to an affiliated individual. (see Affiliated Individual)
Affiliated Individual a person affiliated with an organization (i) as an officer, director, employee, partner, contractor, intern, or other role within the organization, or (ii) as a person maintaining a contractual relationship with the organization where the organization has business records providing strong assurances of the identity of such person. (see Affiliated Certificate)
Authentication relates to the process where one party has presented an identity and claims to be that identity. Authentication of a Subscriber by a CA or RA enables the Relying Party to be confident that the assertion is legitimate.
Authenticating Entity the Entity performing authentication and asserting that the Subscriber is the party they are represented to be.
Authority Revocation List (ARL) A list of revoked CA certificates. An ARL is a CRL for CA crosscertificates.
Archive to store records and associated journals for a given period of time for security, backup, or auditing purposes.
Arizona Electronic Signature Infrastructure (AESI) This is the set of organizations, policies, processes and equipment used to administer Arizonas electronic signature tools and the instruments created from their use. [This is an extension of the definition of PKI to include the fact that Arizonas statute recognizes the possibility of nonPKI based electronic signatures.] The AESI is defined and managed by the Policy Authority with support from the Office of the Secretary of State, GITA and State Treasurers Office as defined in the Administrative Rules and Statute.
Audit a procedure that validates that appropriate controls are in place. An audit would include recording and analyzing activities to detect intrusions or abuses of the information system. Inadequacies are appropriately reported.
Availability the extent that information or processes are reasonably accessible and usable as needed by authorized Entities allowing timely performance of timecritical operations.
Binding an affirmation by a CA (or its LRA) of the relationship between a named Entity and its Public Key.
Certification The process where a CA issues a Certificate for a Subject's Public Key and sends that Certificate to the Subject for acceptance and, on acceptance, posts that certificate in a Repository. [Some nonAESI systems employ a less restrictive process]
Certificate The public PKIbased key of a Subscriber (or nonPKI technology based equivalent), together with related information, digitally signed with the private PKIbased key of the Certification Authority that issued it(or nonPKI technology based equivalent). The certificate technology is in accordance with standards established by GITA.
The Certificate data record, at a minimum: (a) identifies the Issuing CA; (b) identifies its Subscriber; (c) contains a public key that corresponds to a private key under the control of the Subscriber; (d) identifies its operational period; and (e) contains a Certificate serial number and is digitally signed by the Issuing CA. As used by AESI, the term of "Certificate" refers to certificates that expressly reference the OID of a specific Certificate Policy in the "CertificatePolicies" field of a PKI Certificate or the nonPKI equivalent..
Certificate Repository The party maintaining a list of valid PGP certificates. They may or may not have a CRL or a list of certificates showing when they were valid for validation after the fact.
Certificate Revocation List (CRL) A list maintained by a Certification Authority of the certificates that it has issued that have been revoked before their scheduled expiration date.
A CRL is a time stamped list identifying revoked certificates which is signed by a CA and made available in a Repository. Each revoked certificate is identified in a CRL by its certificate serial number. When a EndEntity uses a Certificate (e.g., for verifying a Subject's electronic signature), the EndEntity not only checks the certificate signature and validity but also acquires a reasonably current CRL and checks that the certificate serial number is not on that CRL. The appropriate CP and CPS will define what is "reasonably current," but it usually means the most recentlyissued CRL. A CA issues a new CRL on a regular periodic basis (e.g., hourly, daily, or weekly). CAs may also issue CRLs when an important key is deemed compromised and the CA wishes to expedite notification of that fact.
On line methods of revocation notification may be applicable as an alternative CRL in some circumstances. PKIX defines a protocol known as OCSP [OCSP] to facilitate online checking of the status of certificates. Online revocation checking may significantly reduce the delay between a revocation report and the information reaching Relying Parties. This requires a trusted Validation Authority rather than the trust indifference in using a CRL, that is, this method is faster but imposes new security requirements since the Relying Party must trust the online Validation Authority while the repository does not need to be trusted.
CA Applicant an Entity submitting a CA application to the PA requesting to become a CA or subordinate CA under the terms of a CP. (see Subscriber)
Certificate Applicant an Entity requesting the issuance of a Public Key Certificate by an CA. (see CA Applicant; Subscriber)
Certificate Application a request from a Certificate Applicant to a CA for the issuance of a Certificate. (see Certificate Applicant; Certificate Signing Request)
Certificate Chain an ordered list of Certificates containing an EndEntity Subscriber Certificate and CA Certificates (see Valid Certificate)
Certificate Expiration the time and date specified in the certificate when the operational period ends, without regard to any earlier suspension or revocation.
Certificate Extension a PKI certificate may employ extension fields to convey additional information about the Public Key being certified, the Subscriber, the Certificate Issuer, and elements of the certification process (such as identifying the Certificate Policy by OID).
Standard extensions will be used by CAs within AESI. Custom extensions can also be defined within a Certificate Policy issued by the Policy Authority.
Certificate Hierarchy the ESI domain of CAs, each categorized with respect to its role in a "tree structure" of subordinate CAs. A CA issues and manages Certificates for EndEntity Subscribers and/or for one or more CAs at the next level. The CP defining an ESI establishes certain uniform practices for addressing issues such as naming, maximum number of levels, etc., to assure integrity of the domain and thereby ensure uniform accountability, auditability, and management through the use of trustworthy operational processes. A CA in an ESI is in a trust hierarchy and shall conform to the practices established in the CP..
Certificate Issuance the actions performed by a CA creating a certificate and notifying the certificate Applicant (anticipated to become a Subscriber) listed in the Certificates contents.
Certificate Management certificate management includes, but is not limited to, storage, dissemination, publication, revocation, and suspension of certificates. An CA undertakes certificate management functions by serving as a Registration Authority for Subscriber Certificates. A CA designates issued and accepted Certificates as valid by publication to a Repository.
Certificate Serial Number a value that unambiguously identifies a Certificate generated by a CA.
Certificate Signing Request (CSR) a machinereadable form of a certificate application. (see Certificate Application)
Certification Authority (CA) An authority trusted by one or more users to issue and manage Certificates and CRLs. Each CA within the AESI may issue certificates under a choice of policies based on the assurance level the CA has been accredited to and the requirements and role of the Subscriber. It is important to note that the CA is responsible for the certificates during their whole lifetime, not just for issuing them.
Certificate Manufacturer (CM) the Entity that manufactures and delivers PGP Certificates. The Subscriber may do this themselves, but this may be delegated to another. The CM is not responsible for identification and authentication of certificate Subjects, the RA is.
Certificate Manufacturing Authority (CMA) the Entity that manufactures and delivers the Certificates signed by an CA. The CA may do this itself, but it may subcontract this activity. The CMA is not responsible for identification and authentication of certificate Subjects, the CA is.
Certificate Policy (CP) a named set of rules that indicates the applicability of a certificate to a particular community with a class of applications having common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic procurement transactions within a given price range.
Certification Authority Software The cryptographic software required to manage the PKI keys (or nonPKI technology based equivalent) of End Entities.
Certification Practice Statement (CPS) a statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing Certificates and providing access to them. The CPS is a statement of the CAs practices that fulfill and expand on the specific requirements the Policy Authority has published in the Policy Authority Practices document and in the specific Certificate Policy document that the CPS is bound to.
Class [n] Certificate A certificate of a specified level of trust (denoted as n).
Compromise an unauthorized disclosure (or loss of control) of sensitive information may have occurred in violation (or suspected violation) of a security policy (see Data Integrity). Usually discussed in terms of compromise of a Certificates Private Key.
Confidentiality the need to keep sensitive data secret and disclosed only to authorized parties.
Confirmation Of Certificate Chain the process of validating a certificate chain and subsequently validating a Subscriber certificate. (see also Valid Certificate)
The Relying Party, to authenticate the public key (in each certificate), must confirm that each certificate in the chain is valid, that each was issued within the operational period of the corresponding CA certificate, and that all parties (CAs, Subscribers, and Relying Parties) have operated in accordance with the appropriate CP as well as the appropriate CAs CPS for each certificate in the chain.
CrossCertificate A Certificate used to establish a trust relationship between two Certification Authorities.
A CrossCertificate is a Certificate issued by one CA to another CA which contains a public CA key associated with the private CA signature key used for issuing Certificates. Typically, a cross certificate is used to allow End Entities in one ESI to communicate security with End Entities in another ESI (but may also occur within a single ESI). Use of a crosscertificate issued from CA#1 to CA#2 allows Entity#a (who trusts, has a Certificate issued by, CA#1) to accept a certificate used by Entity#b (who trusts, hase a Certificate issued by CA#2). Crosscertificates between two CA's can be issued in one direction only, or in both directions. The crosscertification often is for a specific Class or for a specific Class and "higher" so crosscertification involves a "mapping" of Certificate Class attributes between the two CAs to assure a correct match between them.
Cryptographic Algorithm a clearly defined mathematical computation, that is, a complete set of rules to produce a prescribed result.
Cryptography is both a mathematical method and a discipline using that method.
Data Integrity Assurance that the data are unchanged from creation to reception.
Digital Signature The result of a transformation of a message by means of a cryptographic system using keys such that a person who has the initial message can determine: (a) whether the transformation was created using the key that corresponds to the signers key; and (b) whether the message has been altered since the transformation was made. [Note that Digital Signature is commonly associated with PKIbased technology whereas Arizona recognizes a wider range of possible signature technologies see Electronic Signature.]
Distinguished Name (DN) a data set that identifies an Entity in the real world (such as a natural person) in the electronic context. (e.g., countryName=US, state=California, organizationName=Electronic Inc., commonName=JohnDoe).
Electronic Signature [Note that whereas Arizona recognizes a wider range of possible signature technologies, most common current implementations employ PKIbased technology see Digital Signature.]
Electronic Signature Infrastructure (ESI) A set of organizations, policies, processes and equipment established within AESI to administer a specific community or class of applications. [This is an extension of the definition of PKI to include the fact that Arizonas statute recognizes the possibility of nonPKI based electronic signatures.]
Encryption the process of transforming ordinary text data into an unintelligible form (ciphertext) so the original data cannot be either recovered directly (oneway encryption) or through an inverse decryption process (twoway encryption).
Enrollment the process of an applicant applying for a Certificate.
Extensions the extension fields in PKIX based certificates.
EndEntity An entity that uses the keys and certificates created within the ESI for purposes other than the management of the aforementioned keys and certificates. An EndEntity may be a Subscriber, a Relying Party, a device, or an application.
Entity Any autonomous element within the Electronic Signature Infrastructure. This may be a CA, an LRA, or an EndEntity.
Five Nines - (see 5 Nines)
Government Information Technology Agency (GITA) Agency directed by Arizonas CIO.
Issuing Authority Certificate a certificate issued by an superior IA/CA to a subordinate IA/CA. (see Issuing Authority, topCA, Level One CA, and Level Two CA)
Identification / Identify the process of confirming a persons identity. Certificates facilitate identification in public key cryptography (and nonPKI equivalent systems).
Internet Engineering Task Force (IETF) is a large, open international community of network designers, operators, vendors, and researchers collaborating on the evolution of the Internet architecture to improve the operation of the Internet.
Issuing CA the CA that signed and issued the particular certificate. (see Issuing Authority)
Issuing Authority (IA) the CA that signed and issued the particular certificate.
Key Generation the trustworthy process of creating a Private Key and Public Key pair. The Public Key is supplied to a CA during the certificate application process while the Private Key is only supplied to the Subscriber.
Key Pair two keys mathematically related such that (i) one key can be used to encrypt a message which can then only be decrypted using the other key, and (ii) even knowing one key, it is computationally infeasible to discover the other key (or the nonPKI equivalent).
Key Pair Recovery Some CPs will provide for having key exchange or encryption keys "backed up" or recoverable in case the key is lost and access to previously encrypted information is needed. This will seriously damage any claim for NonRepudiation and is only used in implementations where the importance of information recovery overrides the need for NonRepudiation. The issue is generally to read email or other documents encrypted by or for a particular employee when that employee is no longer available to access the document. In such a case, the Subject's Private Key is backed up by a CA or by a separate key backup system. If Subject or the Subjects employer needs to recover these backed up key materials, the ESI must provide a system that permits the recovery without an unacceptable risk of compromise of the Private Key. Key Pair Recovery Repositories should never include Certificates where NonRepudiation is paramount. Inclusion in such a Repository opens a challenge to any claim for NonRepudiation.
Level One CA The highest level CA within a State agency. Level One CAs are crosscertified with the AESI and may also be crosscertified with subordinate departmental (Level Two) CAs.
Level Two CA Any CA within a State agency that is subordinate to the Agencys Level One CA.. Level Two CAs are crosscertified with the Agency (Level One) CAs with that crosscertification process subject to approval by the PA.
Local Registration Authority (LRA) A person or organization that is responsible for the identification and authentication of certificate Subscribers before certificate issuance, but does not actually sign or issue the certificates. A LRA is delegated certain tasks on behalf of a CA. [see Registration Authority]
Notary - a natural person authorized by State of Arizona to perform notarial services which include witnessing or attesting to signatures.
NonRepudiation asserts proof of the origin or delivery of data in order to protect the sender against a false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. Only a trier of fact (someone with the authority to resolve disputes) can actually make a determination of nonrepudiation. An electronic signature verified in accordance with the relevant CPS can provide proof in support of a determination of nonrepudiation by a trier of fact, but does not by itself constitute nonrepudiation.
Object Identifier (OID) The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the AESI PKI they are used to uniquely identify each of the eight policies and cryptographic algorithms supported.
Operational Authority Agency personnel who are responsible for the overall operation of an AESI CA.
Operational Certificate a certificate within its operational period at the specified date and time.
Operational Period the period beginning with the date and time the certificate was issued (or on a later date and time if so stated in the certificate) and ending with the earlier date and time of either when it expired or when was revoked.
Organization A agency, department, corporation, partnership, trust, joint venture, or other association or governmental body.
Outofband parties communicate by a different method from the current method of communication (e.g., one party using U.S. Postal mail to communicate with the other party while current communication is done online).
Policy Authority (PA) The State of Arizona body responsible for setting, implementing, and administering policy decisions regarding CPs and CPSs throughout the AESI.
The PA signs and manages the crosscertificates of State of Arizona Agency Level One CAs. The PA also signs and manages crosscertificates with nonState of Arizona CAs. The PA does not manage any Subscriber certificates.
Private Key The key of a key pair used to create a digital signature. It is the publicly unknown half of the Public/Private key pair employed by PKI technology to uniquely link a key pair to the entity possessing the Private key of the pair while the world possesses the Public key of the pair (used here to also define the nonPKI technology based equivalent of these elements).
Public Key The key of a key pair used to verify a digital signature. It is the publicly known half of the Public/Private key pair employed by PKI technology to uniquely link a key pair to the entity possessing the Private key of the pair (used here to also define the nonPKI technology based equivalent of these elements).
Public Key Infrastructure (PKI) A set of organizations, policies, processes, and equipment used to administer public/private keys and certificates created from their use. [Note that Arizonas statute recognizes the possibility of nonPKI based electronic signatures.]
"A collection of certificates, with their issuing CA's, subjects, relying parties, RA's, and repositories, is referred to as a Public Key Infrastructure, or PKI." from the IETF draft Internet X.509 Public Key Infrastructure PKIX Roadmap (draftietfpkixroadmap02.txt)
Registration The process where a Subject: 1) applies for a Certificate with a CA (directly, or through an RA), and 2) the CA issues a Certificate(s) for that Subject. Registration involves: 1) the Subjects providing the personal information required for the Class of Certificate applied for, and other attributes needed to be put in the Certificate, followed by 2) the CAs (possibly with help from the RA) verifying in accordance with its CPS that the name and other attributes are correct.
Registration Authority (RA) an entity that may be given responsibility for performing some of the administrative tasks necessary in the registration of Subjects, such as: confirming the Subject's identity; validating that the Subject is entitled to have the attributes requested in a Certificate; and verifying that the Subject has possession of the Private Key associated with the Public Key requested for a Certificate. [see Local Registration Authority]
Relying Party A person who: 1) uses a certificate signed by a AESI CA to authenticate an electronic signature or to encrypt communications to the certificate Subject, and 2) is a Subscriber of a AESI CA or a ESI that is crosscertified with the AESI.
Repository A location where CRLs, ARLs and Certificates are stored for access by EndEntities. (see Repository Services Provider)
Responsible Individual - represents the sponsoring organization with respect to the issuance and management of certificates. The Responsible Individual is responsible for properly indicating which subscribers are to receive Certificates.
Revocation A Certificate is expected to be in use for its entire validity period when it is issued. But various circumstances can invalidate a certificate prior to its expiration date. Such circumstances include change of Subject name, change of association between Subject and CA, and compromise or suspected compromise of the Certificates Private Key. The CA will then need to revoke the certificate. Current protocols define one method of certificate revocation which involves each CA periodically issuing a signed data structure called a CRL (see Certificate Revocation List).
Root CA (rootCA) a CA that is directly trusted by an end entity [the process of securely acquiring the value of a root CA public key requires some outofband step(s)]. Note that this term is not meant to imply that a root CA is necessarily at the top of any hierarchy, simply that the CA in question is trusted directly. [For top of a hierarchy CA, see topCA]
Repository Services Provider (RSP) - a Certificate Authority or their agent that maintains the CA's Repository. An RSP by provide services to more than one CA. (see Certificate Authority, Repository)
RSA An publickey encryption technology developed by RSA Data Security, Inc. The acronym RSA stands for the techniques inventors: Rivest, Shamir, and Adelman. They developed the RSA algorithm from the fact that there is no efficient way to factor very large numbers. Therefore deducing an RSA key requires an extraordinary amount of computer processing power and time. RSA has become the de facto standard for industrialstrength encryption, especially for data sent over the Internet.
Sponsor A Sponsor in the AESI is the Agency, department or public servant who has nominated that a specific individual or organization be issued a certificate. (e.g., for an employee this may be the employees manager). In the case of a certificate for a citizen or a commercial enterprise the Sponsor could be the manager of the State of Arizona business unit that has a requirement to communicate with that Entity.
The Sponsor might suggest an appropriate DN for the certificate and will be responsible for either supplying or confirming that the certificate attribute details to the LRA. The Sponsor is also responsible for informing the CA or LRA if the Sponsors relationship with the Subscriber is terminated or has changed such that the certificate should be revoked or updated.
Subject a subject is the entity (CA or EndEntity) named in a Certificate. Subjects can be natural persons, devices or even software agents.
Subordinate CA a CA that is not a rootCA for the End Entity in question. A subordinate CA will usually not be a rootCA for any entity but this is not mandatory
Subscriber An individual or organization whose Public Key is certified in a Certificate. In the AESI this could be a public servant, a citizen, or a government client or supplier. Subscribers may have one or more certificates from a specific CA associated with them; most will have at least two active certificates one containing their Electronic Signature verification key; the other containing their Confidentiality encryption key.
Time Stamp a notation indicating the correct date and time of an action and the identity of the EndEntity that sent or received the time stamp.
Token a hardware security token containing an End Entitys Private Key(s), Public Key Certificate, and, optionally, a cache of other Certificates, including all certificates in the EndEntitys Certification Chain.
Top CA (topCA) a CA that is at the top of the ESI hierarchy. Note: this is often also called a "root CA" since, in data structures terms and in graph theory, the node at the top of a tree is the "root". However, to minimize confusion, it is here called the "Top CA" or "topCA" with "root CA" reserved for the CA directly trusted by the user. [Readers should be aware that these terms are not used consistently throughout the Electronic/Digital Signature community. Some documents use "root CA" to refer to what other documents call a "top CA", and "mosttrusted CA" to refer to what this and other documents call a "root CA".]
Transaction an electronic transfer of information (typically over the Internet).
Trust the assumption that an Entity will behave substantially as expected. Trust may be only extended for one specific function. The key role of this term within Authentication is to describe the relationship between an authenticating Entity and a CA. An authenticating Entity must be certain that it can trust the CA to create only valid and reliable Certificates, and that Relying Parties and other users of those Certificates rely upon the authenticating Entitys determination of trust.
Trusted Person a person who serves in a trusted position and is qualified to serve in it in accordance with the governing CP and CPS. (see Trust; Trusted Position; Trusted Third Party)
Trusted Position the role within a CA that includes access to or control over operations that may materially affect the issuance, use, suspension, or revocation of certificates.
Trusted Root a trusted root is the Public Key that an Entity will find reaffirmed as bound to a CA. Software and systems implementing authentication based on PKIX and Certificates assume that this key value has been correctly obtained. It is confirmed by always accessing it from a trusted system Repository that can only be modified by identified and trusted administrators.
Type (Of Certificate) the critical properties of a certificate that limit its intended purpose to a class of applications uniquely associated with that type. (see Class [n] Certificate)
Uniform Resource Locator (URL) the addressing method used for identifying and locating certain records and other resources located on the World Wide Web.
Valid Certificate a Certificate that 1) was issued by an Approved CA, 2) was accepted by the Subscriber listed in it, 3) has not expired, and 4) has not been revoked. A Certificate is not "valid" until it is both issued by an Approved CA and been accepted by the Subscriber.
Validate A Certificate Chain - see Confirmation of Certificate Chain.
Verify (A Digital Signature) to determine for a given digital signature and message that