Glossary of Akenti Terminology


Definitions of abbreviations are found under the term to which the abbreviation applies. For example, the definition for CA is found under certificate authority.
Akenti (AKA the Akenti policy engine)
An independent software module that identifies all use-conditions associated with a resource, searches for the corresponding user attributes, and verifies that a potential user fulfills the use-conditions.

attribute
A characteristic of a person or other identifiable entity. An attribute usually fulfills a use-condition in Akenti.

Stakeholders most commonly impose the use-condition that a user must belong to a particular group. A potential user would have to demonstrate group membership by obtaining an attribute certificate to that effect.

attribute certificate
A certificate that asserts something about its subject, namely, that the subject possesses the named attribute.

An attribute certificate usually applies to a particular use-condition. Although no such use-condition need exist, an attribute certificate without a corresponding use-condition is useless in Akenti.

An attribute certificate allows a user attribute certifier to provide a user characteristic that matches a use-condition in a natural and convenient way.

[More information]

authenticate
To verify the identity of another party in a communication.

capability
The combination of a verified user identity, an assured access control decision, and a list of permitted actions, provided by Akenti to the application (or its agent). The application uses a capability to control specific user actions and to set up a secure communication channel between the user and resource.

CA
Abbreviation for certificate authority.

certificate
A document that has been digitally signed by a trusted party.

In the Akenti system, a certificate may assert identity (identity certificate), attest to an attribute of a subject (attribute certificate), or state a condition to be met (use-condition certificate).

certification authority (AKA certificate authority)
An entity trusted to "vouch" for the identity of a subject. In a public key infrastructure, a certificate authority signs an identity certificate for the subject

Abbreviation: CA.

See also subject, identity certificate.

CN
Abbreviation for common name.

common name
A person's given name, e.g., Mary R. Thompson.

See also distinguished name.

distinguished name
The identifier associated with an entity (e.g., a person) in the ISO X.500 Directory. The distinguished name's format is not defined in the LDAP specification(see the references section for a link to the current protocol specification), but conventionally it is a representation of the entity's position in a hierarchy, such as that formed by a person's country, organization, and organizational unit, together with the person's common name.

Abbreviation: DN.

See also common name, Lightweight Directory Access Protocol.

DN
Abbreviation for distinguished name.

identity certificate
ISO X.509-standard format certificate used within a certificate authority infrastructure for identifying and authenticating an entity, typically a person.

An identity certificate is issued by a certificate authority (CA). It contains the name of the issuer (the CA), the distinguished name of the subject, a validity period, the signature algorithm that is used, the public key of the subject, and the signature of the CA. Many extensions are defined by version 3 of the X.509 standard.

See http://www-itg.lbl.gov/security/Akenti/docs/IdentityCert.html for an example of an identity certificate issued by the Netscape CA.

LDAP
Abbreviation for the Lightweight Directory Access Protocol

Lightweight Directory Access Protocol
A protocol "designed to provide access to the X.500 Directory while not incurring the resource requirements of the Directory Access Protocol" [RFC 2559].

To translate: the Lightweight Directory Access Protocol (LDAP) is used to communicate with the ISO/OSI directory service. Broadly defined, a directory is a "special purpose [database], usually containing typed information. " An example of an Internet-based directory is the Domain Name Service (DNS). A directory accessed via LDAP, however, can contain any kind of information, unlike the special-purpose DNS directory. We refer to a directory accessible via LDAP as an LDAP server.

An LDAP server is used as a Registration Agent (RA) by the Netscape CA. All valid certificates are entered into an associated LDAP server, and are removed when then are revoked. Thus one can check if a certificate has been revoked by looking it up in the CA's LDAP server. If it is not found, it is assumed to have been revoked.

[More information]

policy certificate
A certificate stored with the resource that specifies who may create use-conditions for the resource and where the use-conditions are stored. It may also include the list of acceptable CAs to verify user identities.

[More information]

resource
That which Akenti protects. Examples of currently protected resources or resources to be protected in the future include Web pages, scientific instruments, and premium network bandwidth.

Secure Sockets Layer protocol
A network protocol that allows the two ends of a unicast communication link to authenticate one another and to establish an encrypted connection.

Akenti and most other SSL-enabled applications use SSL version 3.

Abbreviation: SSL.

See also Transport Layer Security protocol.

SSL
Abbreviation for the Secure Sockets Layer protocol.

stakeholder
A party with authority to grant access to a resource. Stakeholders express their interest in the resource via use conditions.

subject
The identifiable entity to which a certificate applies. In the Akenti system, a subject is usually a human being or a resource.

TLS
Abbreviation for the Transport Layer Security protocol.

Transport Layer Security protocol
The IETF's adaptation of SSL, version 3. The IETF's Transport Layer Security working group is in charge of the standardization process.

Abbreviation: TLS.

[More information]

use-condition
A stakeholder's requirement that a potential user must fulfill (by producing a corresponding attribute) before being allowed to access or to use a resource.

use-condition certificate
A certificate that states a requirement that a user must meet to be granted access to the resource.

A use-condition certificate allows a stakeholder to impose its use-condition in a natural and convenient way, by representing the use-condition as a certificate that is generated, maintained, and distributed in the stakeholder's local (working) environment.

[More information]

X.509
The ISO authentication framework.