| E-Commerce
PKI CA Glossary
Access Control
The prevention of unauthorised use of a resource, including the
prevention of use of a resource in an unauthorised manner.
[ISO 7498-2: 1989]
Affiliate Registration Authority
Affiliate Registration Authorities (ARAs) directly under the E-Commerce
PKI CA have a contractual relationship with WISeKey S.A. (as operator
of the E-Commerce PKI CA) through which they undertake to comply
with this Certification Practice Statement. They perform their Affiliate
Registration Authority functions for Affiliate Registration Organisations
(AROs) and perform ARA and ARO functions for End Users to which
they provide certification services.
The functions of an Affiliate Registration Authority consist in
maintaining an infrastructure that constitutes a data processing
and storage centre as well as a gateway between E-Commerce PKI CA
and an Affiliate Registration Organisation. E-Commerce PKI CA operates
an ARA internally for all AROs that are directly connected to it
but external ARAs can be established as standalone infrastructures,
in which case they are operated purely as ARAs providing the corresponding
infrastructure and data management services to E-Commerce PKI CA
and to the AROs located below it (as indicated in diagram 2). Where
sufficient volume for certificate processing needs exist, ARAs may
also provide high-volume automated registration services. Some of
the additional functions that an ARA may perform are the following:
· have the Web-based Registration Officer user interface
tailored to its own local needs, e.g. local language support, localised
presentation format etc.;
· propose to E-Commerce PKI CA the approval of Certificate
Policies that meet the needs of its users; and
· have a dedicated infrastructure for the provision of certificate
services requested by its Affiliate Registration Organisations and
End Users.
Affiliate Registration Organisation
Affiliate Registration Organisations are restricted to the performance
of the ARO functions for End Users and are issued certificates by
E-Commerce PKI CA, which may perform both the ACA and the ARA functions
required by the ARO. E-Commerce PKI CA operates an ARO internally
for End Users that directly request certificates to it. External
AROs can also be established as standalone infrastructures, in which
case they are operated purely as AROs providing End User certification
services to E-Commerce PKI CA and to End Users which request them.
An ARO may also be provided with the ARA functions by a standalone
ARA. Affiliate Registration Organisations have less scope than ARAs
as the AROs do not maintain a data processing and storage centre
but constitute a basic certification services centre for End Users.
Within the limitations of the technological infrastructure they
operate, the functions of an Affiliate Registration Organisation
include:
· processing certificate applications presented to it by
End Users;
· processing certificate suspension and revocation requests;
· maintaining an archive of the Identification Information
submitted to it with certificate applications in accordance with
the CPS;
· maintain the physical and procedural controls
Additional functions may be attributed to Affiliate Registration
Organisations by E-Commerce PKI CA and in all cases such additional
functions shall comply with the security standards required to maintain
certification services that are compliant with this CPS.
Applicable Certificate Policy
The Certificate Policy that is applicable to a specific certificate
in accordance with the “Issuer Statement” contained
in the certificate. All adopted public Certificate Policies are
available on the E-Commerce PKI CA Web site (http://www.ecommercepki.com/cps/).
Applicant
An entity that has applied (or on whose behalf an application has
been submitted) to E-Commerce PKI CA or a Subordinate PKI Entity
for the issuance of a certificate but has not yet accepted it. The
verification processes following the application vary in accordance
with the nature and, where applicable, the operational role within
the PKI corresponding to the certificate the entity is applying
for (e.g. Gold CA, ARA, ARO or End User).
Asymmetric Key Pair
A pair of related keys where the private key defines the private
transformation and the public key defines the public transformation.
[ISO/IEC 9798-1 (2nd edition): 1997] [2nd DIS ISO/IEC 11770-3 (08/1997)]
Audit
A review and examination of system records and activities to assess
the adequacy and effectiveness of system controls to ensure compliance
with established policies and operational procedures and to recommend
necessary changes in controls, policies, or procedures.
Audit Event
An action, detected internally by the system which may generate
an audit record. If an event causes an audit record to be generated
[for recording in the audit trail], it is a "recorded event".
Otherwise, it is an "unrecorded event". The system decides,
as each event is detected, whether to generate an audit record by
the audit pre-selection algorithm. The set of audit events is based
upon a system's security policy.
[ISO/IEC POSIX Security]
Audit Record
The discrete unit of data recorded in the audit trail on the occurrence
of a recorded event. An audit record consists of a set of audit
descriptions, each of which has a set of audit attributes associated
with it. Every audit record always has an audit description for
the record' s header, and usually has additional audit descriptions
describing the entity(ies) and object(s) involved in the event.
[ISO/IEC POSIX Security]
Availability
The property of information being accessible and usable upon demand
by an authorised entity or process.
Certificate
A data structure, using the CCITT ITU X.509 standard, containing
the public key of an entity, together with associated information,
and rendered unforgeable by being digitally signed by the certification
authority which issued it.
Certification Authority
An authority trusted by one or more users to create, issue and manage
the life-cycle of certificates.
Certificate Chain
A chain of multiple certificates needed to validate a certificate.
Certificate chains are built by linking and verifying the digital
signature on a certificate with a public key on a certificate issued
by E-Commerce PKI CA or other trusted CA within the WISeKey PKI.
Certificate Generation
Certificate generation is the process of creating a certificate
from inputs specific to the application and the Applicant.
Certificate Policy (CP)
A named set of rules that indicates the applicability of a certificate
to a particular community and/or class of application with common
security requirements. For example, a particular certificate policy
might indicate applicability of a type of certificate to the authentication
of electronic data interchange transactions for the trading of goods
within a given price range.
Certification Practice Statement
A statement of the practices which a certification authority employs
in issuing certificates and managing the life-cycle of such certificates.
Certificate Request
Authenticated request by an entity for its parent authority to issue
a certificate which binds the identity of that entity to its public
key.
Certificate Revocation
Certificate revocation is the process of changing the status of
a certificate from valid or suspended to revoked. The status of
a certificate as revoked means that it should not longer be relied
upon by any entity for whatever purpose.
Certificate Revocation List (CRL)
A signed list of the certificates which have been revoked by E-Commerce
PKI CA or a Gold CA.
Certificate Serial Number
An integer value, unique within the issuing CA (certification authority),
which is unambiguously associated with a certificate issued by that
CA.
[ISO/IEC 9594-8: 1990] [CCITT X.509: 1988]
Certification Services
Any of the PKI-related services provided by E-Commerce PKI CA or
a Subordinate PKI Entity to other Subordinate PKI Entities, to End
Users and/or to Relying Parties, including, but not limited to,
the processing of certificate applications, storage of physical
documentation used for the certificate application process, issuance
of certificates, key pair generation, certificate validation services,
certificate suspension and revocation requests, as well as the suspension
or revocation of certificates.
Compliance Audit
A review and examination of system records and activities in order
to test for adequacy of system controls, to ensure compliance with
established policy and operational procedures, to detect breaches
in security, and to recommend any indicated changes in control,
policy and procedures.
Confidentiality
The property that information is not made available or disclosed
to unauthorised individuals, entities, or processes.
[ISO 7498-2: 1989] [TR 13335-1: 1996]
Cryptographic Key
A parameter used in conjunction with an algorithm for the purpose
of validation, authentication, encipherment or decipherment.
[ISO 8732: 1988]
Cryptographic Token
The medium in which a key is stored (e.g. smart card, cryptographic
key). Also referred to as Secure Storage Device.
Cryptography
The discipline which embodies principles, means, and methods for
the transformation of data in order to hide its information content,
prevent its undetected modification and/or prevent its unauthorised
use.
[ISO 7498-2: 1989] [ISO 8732: 1988]
Data Integrity
The quality or condition of being accurate, complete and valid,
and not altered or destroyed in an unauthorised manner.
Digital Signature
Data appended to, or a cryptographic transformation of a data unit
that allows a recipient of the data unit to prove the source and
integrity of the data unit and protect against forgery e.g. by the
recipient.
[ISO 7498-2: 1989]
Encryption
The process by which plain text data are transformed to conceal
their meaning. Encryption is a reversible process effected by using
a cryptographic algorithm and key.
End User
These are entities that have accepted certificates issued to them
by E-Commerce PKI CA but are not Subordinate PKI Entities.
Entity
Any person (legal or natural) or system (mechanical or electronic).
Evaluation
Assessment against defined criteria in order to give a measure of
confidence that a given entity meets such criteria.
Identification Information
The information obtained or presented to positively identify an
entity and provide the certification services requested by it, excluding
Summary Information.
Identity Verification
The process of using identification information to determine the
identity of an entity.
Interoperability
Interoperability implies that equipment and procedures in use by
two or more entities are compatible, and hence that it is possible
to undertake common or related activities.
Key
A sequence of symbols that controls the operation of a cryptographic
transformation (e.g. encipherment, decipherment, cryptographic check
function computation, signature generation, or signature verification).
[ISO/IEC 9798-1 (2nd edition): 1997] [ISO/IEC 11770-1: 1997]
Key Destruction
Key destruction is the process of removing all copies of a key throughout
the key management system.
Key Generation
Key generation is the process by which cryptographic keys are created.
It is the function of generating variables required to meet particular
key attributes.
Key Management
The administration and use of the generation, registration, certification,
deregistration, distribution, installation, storage, archiving,
revocation, derivation and destruction of keying material in accordance
with a security policy.
[ISO/IEC 11770-1: 1997]
Key Management Facility
A protected enclosure (e.g. room or cryptographic equipment) and
it contents where cryptographic elements reside.
[ISO 8732: 1988]
Key Pair
The keys in an asymmetric cryptosystem having the property that
one of the pair will decrypt what the other encrypts.
OCSP (On-Line Certificate Status Protocol)
A protocol which is used to provide real-time validation of a certificate’s
status. An OCSP responder is used to respond to certificate status
requests and can issue one of three responses: Valid, Invalid, Unknown.
An OCSP responder replies to certificate status requests on the
basis of CRLs (Certificate Revocation Lists) provided to it by certification
authorities.
Operational Infrastructure
The technological infrastructure by which the certification services
are provided. This infrastructure does not necessarily coincide
with the legal infrastructure or relationships that exist or that
develop between entities that form part of the WISeKey PKI or that
use the WISeKey PKI certification services in any way.
Physical Security
The measures used to provide physical protection of resources against
deliberate and accidental threats.
[ISO 7498-2: 1989]
Plaintext
Unenciphered information.
[ISO 8372: 1987] [ISO 8732: 1988] [ISO/IEC 9798-1 (2nd edition):
1997] [ISO/IEC 10116 (2nd edition): 1997]
Post-Suspension Investigation
Investigation performed by the WPAA after a certificate has been
suspended in order to determine whether such certificate should
be revoked or reinstated as valid.
Private Key
That key of an entity's asymmetric key pair which shall normally
only be known by that entity.
[2nd DIS ISO/IEC 11770-3 (08/1997)]
Public Key
That key of an entity's asymmetric key pair which can be made public,
although not necessarily available to the public in general, as
it may be restricted to a pre-determined group.
Public Key Certificate
A digital certificate that binds unforgeably the public key of an
entity to the entity's distinguishing identifier, and which indicates
the validity of the corresponding private key.
[ISO/IEC 13888-1: 1997]
Public Key Infrastructure
The infrastructure needed to generate, distribute, manage and archive
keys, certificates and certificate revocation lists, and OCSP responders.
[2nd DIS ISO/IEC 11770-3 (08/1997)]
Recipient
The entity that gets (receives or retrieves) a message.
Rekey
The act of replacing an expired certificate by providing a new set
of cryptographic keys and issuing a new certificate.
Relying Party
Any entity relying on a certificate, certificate revocation list,
certificate chain, this Certification Practice Statement, Certificate
Policies or any other information published by WISeKey (as operator
of E-Commerce PKI CA) that: (1) has agreed to a Relying Party agreement
or other similar agreement (e.g. Root CA – Affiliate CA Agreement)
or (2) is explicitly designated as such by an approved Certificate
Policy, despite not having signed a Relying Party agreement.
Revocation
To change the status of a valid or suspended certificate to “revoked”
from a specified time and forward.
Subordinate PKI Entity
Any entity that forms part of the E-Commerce PKI CA PKI, as structured
in this CPS, that has the authority to operate or provide certification
services. End Users and Relying Parties are not Subordinate PKI
Entities.
Subscriber
Any entity that has accepted a certificate issued to it by E-Commerce
PKI CA.
Summary Information
The basic information required for the production of a public key
certificate, for the verification of a digital signature, for the
validation of a certificate’s status as well as the information
produced as a result of such verification and validation.
Validation
The process of checking the integrity of a message, or selected
parts of a message, or the validity of a Certificate in terms of
its status (i.e. suspended or revoked).
Verification Process
A process which takes as input the signed message, the verification
key and the domain parameters, and which gives as output the result
of the signature verification: valid or invalid.
[FCD ISO/IEC 14888-1 (12/1997)]
It may also be useful to review
the WISeKey Global Common Root Certificate Practice Statement which
is available at the WISeKey
Librarium in PDF Format.
Top of Page >>
|
