CPS Section 13: Appendix

CERTIFICATION PRACTICE STATEMENT (CPS)
VeriSign's statement of the practices an IA employs in issuing certificates. This document, as revised from time to time.

CHALLENGE PHRASE
A set of numbers and/or letters that are chosen by a certificate applicant, communicated to the IA with a certificate application, and used by the IA to authenticate the subscriber for various purposes as required by the CPS. A challenge phrase is also used by a secret share holder to authenticate himself, herself, or itself to a secret share issuer.

CLASS [1, 2, OR 3] CERTIFICATE
A certificate of a specified level of trust. (See CPS Section 2.2.)

COMMERCIAL REASONABLENESS
In the context of electronic commerce, the implementation and use of technology, controls, and administrative and operational procedures that reasonably ensure system and message trustworthiness.

COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE
A Class 3 certificate that is issued to organizations only and is used for software validation. (Cf., INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE; SOFTWARE VALIDATION)

COMMON KEY
Some systems of cryptographic hardware require arming through a secret-sharing process and require that the last of these shares remain physically attached to the hardware in order for it to stay armed. In this case common key refers to this last share. It is not assumed to be secret as it is not continually in an individual's possession.

COMPROMISE
A violation (or suspected violation) of a security policy, in which an unauthorized disclosure of, or loss of control over, sensitive information may have occurred. (Cf., DATA INTEGRITY)

CONFIDENTIALITY
The condition in which sensitive data is kept secret and disclosed only to authorized parties.

CONFIRM
To ascertain through appropriate inquiry and investigation. (Cf., AUTHENTICATE; VERIFY A DIGITAL SIGNATURE)

CONFIRMATION OF CERTIFICATE CHAIN
The process of validating a certificate chain and subsequently validating an end-user subscriber certificate.

CONTENT INTEGRITY SERVICES
Content integrity services provide certificates to software publishers who desire to digitally sign their software publications to facilitate their customers' (end-users') ability to undertake software validation.

CONTROLS
Measures taken to ensure the integrity and quality of a process.

CORRESPOND
To belong to the same key pair. (See also PUBLIC KEY; PRIVATE KEY)

CROSS-CERTIFICATION
A condition in which either or both a VeriSign PCA and a non-VeriSign certificate issuing entity (representing another certification domain) issues a certificate having the other as the subject of that certificate.

CRYPTOGRAPHIC ALGORITHM
A clearly specified mathematical process for computation; a set of rules that produce a prescribed result.

CRYPTOGRAPHY (Cf., PUBLIC KEY CRYPTOGRAPHY)
(i) The mathematical science used to secure the confidentiality and authentication of data by replacing it with a transformed version that can be reconverted to reveal the original data only by someone holding the proper cryptographic algorithm and key.
(ii) A discipline that embodies the principles, means, and methods for transforming data in order to hide its information content, prevent its undetected modification, and/or prevent its unauthorized uses.

CRYPTOMODULE
A trustworthy implementation of a cryptosystem which safely performs encryption and decryption of data.

DATA
Programs, files, and other information stored in, communicated, or processed by a computer.

DATABASE
A set of related information created, stored, or manipulated by a computerized management information system.

DATA CONFIDENTIALITY (See CONFIDENTIALITY)

DATA INTEGRITY
A condition in which data has not been altered or destroyed in an unauthorized manner. (See also THREAT; cf., COMPROMISE)

DENIAL OF SERVICE (See AVAILABILITY)

DIGITAL ID^sm (See CERTIFICATE)
VeriSign's service-marked name for a certificate.

DIGITAL SIGNATURE
A transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key and whether the message has been altered since the transformation was made.

DIRECTORY (Cf., REPOSITORY)

DISTINGUISHED NAME
A set of data that identifies a real-world entity, such as a person in a computer-based context. (e.g., countryName=US, state=California, organizationName=Electronic Inc., commonName=JohnDoe).

DOCUMENT
A record consisting of information inscribed on a tangible medium such as paper rather than computer-based information. (Cf., MESSAGE; RECORD)

E-F

ELECTRONIC MAIL ("E-MAIL")
Messages sent, received or forwarded in digital form via a computer-based communication mechanism.

ENCRYPTION
The process of transforming plaintext data into an unintelligible form (ciphertext) such that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).

END-USER SUBSCRIBER
A subscriber which is not also an IA.

ENHANCED NAMING
The use of an extended organization field (OU=) in an X.509 v3 certificate.

ENROLLMENT
The process of a certificate applicant's applying for a certificate.

ENTITY (See PERSON)

EXTENSIONS
Extension fields in X.509 v3 certificates. (See X.509)

FILE TRANSFER PROTOCOL (FTP)
The application protocol that offers file system access from the Internet suite of protocols.

FTP (See FILE TRANSFER PROTOCOL)

G-H

GENERATE A KEY PAIR
A trustworthy process of creating private keys during certificate application whose corresponding public key are submitted to the applicable IA during certificate application in a manner that demonstrates the applicant's capacity to use the private key.

HASH (HASH FUNCTION)
An algorithm that maps or translates one set of bits into another (generally smaller) set in such a way that:

i. A message yields the same result every time the algorithm is executed using the same message as input.

ii. It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm.

iii. It is computationally infeasible to find two different messages that produce the same hash result using the same algorithm.

IA (See ISSUING AUTHORITY)

IA CERTIFICATE
A certificate issued by an authorized superior IA to a subordinate IA. (See SUPERIOR IA; SUBORDINATE IA; cf., CERTIFICATE)

IDENTIFICATION/IDENTITY
The process of confirming the identity of a person. Identification is facilitated in public key cryptography by means of certificates.

IDENTITY
A unique piece of information that marks or signifies a particular entity within a domain. Such information is only unique within a particular domain.

INCORPORATE BY REFERENCE
To make one message a part of another message by identifying the message to be incorporated, with information that enables the receiving party to access and obtain the incorporated message in its entirety, and by expressing the intention that it be part of the incorporating message. Such an incorporated message shall have the same effect as if it had been fully stated in the message to the extent permitted by law.

INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE
A Class 2 certificate that is issued to individuals only and is used for software validation. (Cf., COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE; SOFTWARE VALIDATION)

INTEGRITY (See DATA INTEGRITY)

ISSUING A CERTIFICATE (See CERTIFICATE ISSUANCE)

ISSUER (See ISSUING AUTHORITY)

ISSUING AUTHORITY (IA)
Within VeriSign's PCS, the VR, PCA, or CA (or subordinate CA) that issues, suspends, or revokes a certificate. IAs are identified by a distinguished name on all certificates and CRLs they issue.

J-L

KEY GENERATION
The trustworthy process of creating a private key/public key pair. The public key is supplied to an IA during the certificate application process.

KEY PAIR
A private key and its corresponding public key. The public key can verify a digital signature created by using the corresponding private key. In addition, depending upon the type of algorithm implemented, key pair components can also encrypt and decrypt information for confidentiality purposes, in which case a private key uniquely can reveal information encrypted by using the corresponding public key.

LOCAL REGISTRATION AUTHORITY (LRA)
An entity appointed by an IA to assist other entities in applying for certificates, revoking (or where authorized, suspending) their certificates, or both and also approving such applications. An LRA is not the agent of a certificate applicant. An LRA may not delegate the authority to approve certificate applications.

M-N

MESSAGE
A digital representation of information; a computer-based record. A subset of RECORD. (Cf., MESSAGE; RECORD)

MESSAGE INTEGRITY(See INTEGRITY)

MICROSOFT AUTHENTICODE™(See SOFTWARE VALIDATION)

NAME
A set of identifying attributes purported to describe an entity of a certain type.

NAMING
Naming is the assignment of descriptive identifiers to objects of a particular type by an authority which follows specific issuing procedures and maintains specific records pertinent to an identified registration process. (Cf., NAMING AUTHORITY; VERISIGN NAMING AUTHORITY)

NAMING AUTHORITY
A body which executes naming policy and procedures and has control over the registration and assignment of primitive (basic) names to objects of a particular class. (Cf., NAMING; VERISIGN NAMING AUTHORITY)

NONREPUDIATION
Provides proof of the origin or delivery of data in order to protect the sender against a false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. Note: Only a trier of fact (someone with the authority to resolve disputes) can make an ultimate determination of nonrepudiation. By way of illustration, a digital signature verified pursuant to this CPS can provide proof in support of a determination of nonrepudiation by a trier of fact, but does not by itself constitute nonrepudiation.

NONVERIFIED SUBSCRIBER INFORMATION (NSI)
Information submitted by a certificate applicant to an IA, and included within a certificate, which has not been confirmed by the IA and for which the IA provides no assurances other than that the information was submitted by the certificate applicant. Information such as titles, professional degrees, and accreditations are considered NSI unless otherwise indicated.

NON-VERISIGN IA
An IA that is not owned or operated by VeriSign. (See CPS Section 3.1; Cf., IA)

NORMAL CERTIFICATE (See CERTIFICATE)

NOTARY
A natural person authorized by an executive governmental agency to perform notarial services such as taking acknowledgments, administering oaths or affirmations, witnessing or attesting signatures, and noting protests of negotiable instruments.

NOTICE
The result of notification in accordance with this CPS. (See CPS Section 12.10)

NOTIFY
To communicate specific information to another person as required by this CPS and applicable law.

O-P

ON-LINE
Communications that provide a real-time connection to the VeriSign PCS.

OPERATIONAL CERTIFICATE
A certificate which is within its operational period at the present date and time or at a different specified date and time, depending on the context.

OPERATIONAL PERIOD
The period starting with the date and time a certificate is issued (or on a later date and time certain if stated in the certificate) and ending with the date and time on which the certificate expires or is earlier suspended or revoked.

ORGANIZATION
An entity with which a user is affiliated. An organization may also be a user.

ORIGINATOR
A person by whom (or on whose behalf) a data message is purported to have been generated, stored, or communicated. It does not include a person acting as an intermediary.

PARTIES
The entities whose rights and obligations are intended to be controlled by this CPS. These entities may include certificate applicants, IAs, subscribers, and relying parties. (See USERS; IAs; RELYING PARTY)

PASSWORD (PASS PHRASE; PIN NUMBER)
Confidential authentication information, usually composed of a string of characters used to provide access to a computer resource.

PC CARD (See also SMART CARD)
A hardware token compliant with standards promulgated by the Personal Computer Memory Card International Association (PCMCIA) providing expansion capabilities to computers, including the facilitation of information security.

PERSON
A human being or an organization (or a device under the control of a human being or organization) capable of signing or verifying a message, either legally or as a matter of fact. (A synonym of ENTITY.)

PERSONAL PRESENCE
The act of appearing (physically rather than virtually or figuratively) before an LRA or its designee and proving one's identity as a prerequisite to certificate issuance under certain circumstances.

PKI HIERARCHY
A set of IAs whose functions are organized according to the principle of delegation of authority and related to each other as subordinate and superior IA.

PLEDGE (See SOFTWARE PUBLISHER'S PLEDGE)

PRIMARY CERTIFICATION AUTHORITY (PCA)
A person that establishes practices for all certification authorities and users within its domain.

PRIVATE KEY
A mathematical key (kept secret by the holder) used to create digital signatures and, depending upon the algorithm, to decrypt messages or files encrypted (for confidentiality) with the corresponding public key. (See also PUBLIC KEY CRYPTOGRAPHY; PUBLIC KEY)

PROVISIONAL CERTIFICATE
A [Class 2] certificate during the first 21 days of its operational period that is issued upon the successful completion of all required IA-internal validation procedures with respect to a Class 2 certificate application (in accordance with CPS Section 5.1). The provisional state denotes that further validation of the certificate application regarding the subscriber's identity will be completed through a postal address "mail-back" procedure (see CPS Section 5.1.4 - Postal Address Confirmation). (Cf., CERTIFICATE)

PUBLIC CERTIFICATION SERVICES (See VERISIGN PUBLIC CERTIFICATION SERVICES)

PUBLIC KEY
A mathematical key that can be made publicly available and which is used to verify signatures created with its corresponding private key. Depending on the algorithm, public keys are also used to encrypt messages or files which can then be decrypted with the corresponding private key. (See also PUBLIC KEY CRYPTOGRAPHY; PRIVATE KEY)

PUBLIC KEY CERTIFICATE (See CERTIFICATE)

PUBLIC KEY CRYPTOGRAPHY (Cf., CRYPTOGRAPHY)
A type of cryptography that uses a key pair of mathematically related cryptographic keys. The public key can be made available to anyone who wishes to use it and can encrypt information or verify a digital signature; the private key is kept secret by its holder and can decrypt information or generate a digital signature.

PUBLIC KEY INFRASTRUCTURE (PKI)
The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. The PKI consists of systems which collaborate to provide and implement the PCS and possibly other related services.

PUBLIC/PRIVATE KEY PAIR (See PUBLIC KEY; PRIVATE KEY; KEY PAIR)

PUBLISH / PUBLICATION
To record or file information in the VeriSign repository and optionally in one or more other repositories in order to disclose and make publicly available such information in a manner that is consistent with this CPS and applicable law.

Q-R

QUALIFIER (See VERISIGN QUALIFIER)

RECIPIENT (of a DIGITAL SIGNATURE)
A person who receives a digital signature and who is in a position to rely on it, whether or not such reliance occurs. (Cf., RELYING PARTY)

RECORD
Information that is inscribed on a tangible medium (a document) or stored in an electronic or other medium and retrievable in perceivable form. The term "record" is a superset of the two terms "document" and "message". (Cf., DOCUMENT; MESSAGE)

RE-ENROLLMENT (Cf., RENEWAL)

REGISTERED STRING
A class of object subject to registration and recording procedures which demonstrates the value is unambiguous within the records of the registration authority. The type of value recorded is a string of characters.

REGISTRATION AUTHORITY
An entity trusted to register other entities and assign them a relative distinguished value such as a distinguished name or, a hash of a certificate. A registration scheme for each registration domain ensures that each registered value is unambiguous within that domain. (Cf., CERTIFICATION AUTHORITY)

RELATIVE DISTINGUISHED NAME (RDN)
A set of attributes compromising an entity's distinguished name that distinguishes the entity from others of the same type.

RELY / RELIANCE (on a CERTIFICATE and DIGITAL SIGNATURE)
To accept a digital signature and act in a manner that could be detrimental to oneself were the digital signature to be ineffective. (Cf., RELYING PARTY; RECIPIENT)

RELYING PARTY
A recipient who acts in reliance on a certificate and digital signature. (Cf., RECIPIENT; RELY OR RELIANCE (on a CERTIFICATE and DIGITAL SIGNATURE))

RENEWAL
The process of obtaining a new certificate of the same class and type for the same subject once an existing certificate has expired.

REPOSITORY
A database of certificates and other relevant information accessible on-line.

REPUDIATION (See also NONREPUDIATION)
The denial or attempted denial by an entity involved in a communication of having participated in all or part of the communication.

REVOKE A CERTIFICATE (See CERTIFICATE REVOCATION)
The process of permanently ending the operational period of a certificate from a specified time forward.

ROOT
The IA that issues the first certificate in a certification chain. The root's public key must be known in advance by a certificate user in order to validate a certification chain. The root 's public key is made trustworthy by some mechanism other than a certificate, such as by secure physical distribution.

RSA
A public key cryptographic system invented by Rivest, Shamir & Adelman.

SECRET SHARE
A portion of a cryptographic secret split among a number of physical tokens.

SECRET SHARE HOLDER
An authorized holder of a physical token containing a secret share.

SECRET SHARE ISSUER
The person designated by an IA to create and distribute secret shares.

SECRET SHARING (See also SECRET SHARE)
The practice of distributing secret shares of a private key to a number of secret share holders; threshold-based splitting of keys.

SECURE CHANNEL
A cryptographically enhanced communications path that protects messages against perceived security threats.

SECURITY
The quality or state of being protected from unauthorized access or uncontrolled losses or effects. Absolute security is impossible to achieve in practice and the quality of a given security system is relative. Within a state-model security system, security is a specific "state" to be preserved under various operations.

SECURITY POLICY
A document which articulates requirements and good practices regarding the protections maintained by a trustworthy system in support of the PCS.

SECURITY SERVICES
Services provided by a set of security frameworks and performed by means of certain security mechanisms. Such services include, but are not limited to, access control, data confidentiality, and data integrity.

SELF-SIGNED PUBLIC KEY
A data structure that is constructed the same as a certificate but that is signed by its subject. Unlike a certificate, a self-signed public key cannot be used in a trustworthy manner to authenticate a public key to other parties. A PCA self-signed public key digitally signed by the VR shall constitute a certificate. (Cf., CERTIFICATE)

SERIAL NUMBER (See CERTIFICATE SERIAL NUMBER)

SERVER
A computer system that responds to requests from client systems.

SIGN
To create a digital signature for a message, or to affix a signature to a document, depending upon the context.

SIGNATURE
A method that is used or adopted by a document originator to identify himself or herself, which is either accepted by the recipient or its use is customary under the circumstances. (Cf., DIGITAL SIGNATURE)

SIGNER
A person who creates a digital signature for a message, or a signature for a document.

SMART CARD
A hardware token that incorporates one or more integrated circuit (IC) chips to implement cryptographic functions and that possesses some inherent resistance to tampering.

S/MIME
A specification for E-mail security exploiting a cryptographic message syntax in an Internet MIME environment.

SOFTWARE PUBLISHER'S PLEDGE
The representations and guarantees made by individual and commercial software publishers as stated in the CPS. (See CPS Section 4.3)

SOFTWARE VALIDATION
VeriSign services which provide assurances in accordance with the CPS and the software publisher's pledge (see CPS Section 4.3) of an individual or commercial software publisher that digitally-signed software was duly published by the subject of the corresponding VeriSign-issued certificate and has not been undetectably modified since it was digitally signed. (Cf., INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE; COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE; SOFTWARE PUBLISHER'S PLEDGE; VALIDATION (OF CERTIFICATE APPLICATION))

SUBJECT (OF A CERTIFICATE)
The holder of a private key corresponding to a public key. The term "subject" can refer to both the equipment or device that holds a private key and to the individual person, if any, who controls that equipment or device. A subject is assigned an unambiguous name which is bound to the public key contained in the subject's certificate.

SUBJECT NAME
The unambiguous value in the subject name field of a certificate which is bound to the public key.

SUBORDINATE IA
Within the VeriSign PKI architecture's hierarchy of IAs, each IA is either the VR, a PCA, a CA or a "subordinate CA". The subordinate IA of the VR is a PCA; the PCA's subordinate IA is a CA; a CA's subordinate IA is a subordinate CA. If present, a subordinate CA's subordinate IA is yet another subordinate CA. (Cf., SUPERIOR IA)

SUBSCRIBER
A person who is the subject of, has been issued a certificate, and is capable of using, and authorized to use, the private key that corresponds to the public key listed in the certificate. (See also SUBJECT; cf., CERTIFICATE APPLICANT; USER)

SUBSCRIBER AGREEMENT
The agreement (See Subscriber Agreement) executed between a subscriber and an IA for the provision of designated public certification services in accordance with this CPS.

SUBSCRIBER INFORMATION
Information supplied to a certification authority as part of a certificate application. (Cf., CERTIFICATE APPLICATION)

SUPERIOR IA
Within the VeriSign PKI architecture's hierarchy of IAs, each IA is either the VR, a PCA, a CA or a "subordinate CA". The superior IA of a subordinate CA is either another subordinate CA or a CA; a CA's superior is a PCA; a PCA's superior is either the VR, or itself. The VR is its own superior IA. (Cf., SUBORDINATE IA)

SUSPEND A CERTIFICATE A temporary "hold" placed on the effectiveness of the operational period of a certificate without permanently revoking the certificate. A certificate suspension is invoked by, e.g., a CRL entry with a reason code. (Cf., REVOKE A CERTIFICATE)

THREAT
A circumstance or event with the potential to cause harm to a system, including the destruction, unauthorized disclosure, or modification of data and/or denial of service.

TIME STAMP
A notation that indicates (at least) the correct date and time of an action, and identity of the person or device that sent or received the time stamp.

TOKEN
A hardware security token containing a user's private key(s), public key certificate, and, optionally, a cache of other certificates, including all certificates in the user's certification chain.

TRANSACTION
A computer-based transfer of business information which consists of specific processes to facilitate communication over global networks.

TRUST
Generally, the assumption that an entity will behave substantially as expected. Trust may apply only for a specific function. The key role of this term in an authentication framework is to describe the relationship between an authenticating entity and an IA. An authenticating entity must be certain that it can trust the IA to create only valid and reliable certificates, and users of those certificates rely upon the authenticating entity's determination of trust.

TRUSTED PERSON
A person who serves in a trusted position and is qualified to serve in it in accordance with this CPS. (Cf., TRUST; TRUSTED POSITION; TRUSTED THIRD PARTY; TRUSTWORTHY SYSTEM)

TRUSTED POSITION
A role within an IA that includes access to or control over cryptographic operations that may materially affect the issuance, use, suspension, or revocation of certificates, including operations that restrict access to a repository.

TRUSTED ROOT
A trusted root is a public key which has been confirmed as bound to an IA by a user or system administrator. Software and systems implementing authentication based on public cryptography and certificates assume that this key value has been correctly obtained. It is confirmed by always accessing it from a trusted system repository to which only identified and trusted administrators have modification authorizations.

TRUSTED THIRD PARTY
In general, an independent, unbiased third party that contributes to the ultimate security and trustworthiness of computer-based information transfers. A trusted third party does not connote the existence of a trustor-trustee or other fiduciary relationship. (Cf., TRUST)