ACCEPT (A CERTIFICATE)
To demonstrate approval of a certificate by a certificate applicant while
knowing or having notice of its informational contents, in accordance with
the CPS.
ACCESS
A specific type of interaction between a submission and communications
or information resources that results in a flow of information, the exercise
of control, or the activation of a process.
ACCREDITATION
A formal declaration by a VeriSign--designated approving authority that
a particular information system, professional or other employee or contractor,
or organization is approved to perform certain duties and to operate in
a specific security mode, using a prescribed set of safeguards.
AFFILIATED CERTIFICATE
A certificate issued to an affiliated individual. (Cf., AFFILIATED
INDIVIDUAL)
AFFILIATED INDIVIDUAL
A human being that is affiliated with an organization (i) as an officer,
director, employee, partner, contractor, intern, or other person within
the organization, or (ii) as a person maintaining a contractual relationship
with the organization where the organization has business records providing
strong assurances of the identity of such person. (Cf., AFFILIATED
CERTIFICATE)
AFFIRM / AFFIRMATION
To state or indicate by conduct that data is correct or information is
true.
APPLICANT (See CA APPLICANT; CERTIFICATE APPLICANT)
ARCHIVE
To store records and associated journals for a given period of time for
security, backup, or auditing purposes.
ASSURANCES
Statements or conduct intended to convey a general intention, supported
by a good-faith effort, to provide and maintain a specified service by
an IA. "Assurances" does not necessarily imply a guarantee that
the services will be performed fully and satisfactorily. Assurances are
distinct from insurance, promises, guarantees, and warranties, unless otherwise
expressly indicated.
AUDIT
A procedure used to validate that controls are in place and adequate for
their purposes. Includes recording and analyzing activities to detect intrusions
or abuses into an information system. Inadequacies found by an audit are
reported to appropriate management personnel.
AUTHENTICATE (See AUTHENTICATION)
AUTHENTICATED RECORD
A signed document with appropriate assurances of authentication or a message
with a digital signature verified by a valid Class 3 certificate by a relying
party. However, for suspension and revocation notification purposes, the
digital signature contained in such notification message must have been
created by the private key corresponding to the public key contained in
the certificate for the applicable certificate class.
AUTHENTICATION
A process used to confirm the identity of a person or to prove the integrity
of specific information. Message authentication involves determining its
source and verifying that it has not been modified or replaced in transit.
(Cf., VERIFY (A DIGITAL SIGNATURE))
AUTHENTICODE™ (See MICROSOFT AUTHENTICODE™; SOFTWARE VALIDATION)
AUTHORIZATION
The granting of rights, including the ability to access specific information
or resources.
AVAILABILITY
The extent to which information or processes are reasonably accessible
and usable, upon demand, by an authorized entity, allowing authorized access
to resources and timely performance of time-critical operations.
BINDING
An affirmation by an IA (or its LRA) of the relationship between a named
entity and its public key.
C
CA APPLICATION (NON-VERISIGN CA APPLICATION)
The application submitted to the applicable VeriSign PCA by a non-VeriSign
entity requesting to become a certification authority or subordinate certification
authority, and requesting an IA certificate, within VeriSign's public certification
services. (See CPS Section 3.1.1)
CA APPLICANT
A person who submits a CA application to VeriSign requesting to become
a CA or subordinate CA. (Cf., SUBSCRIBER)
CERTIFICATE (PUBLIC KEY CERTIFICATE)
A message (see definition for MESSAGE) that, at least, states a
name or identifies the IA, identifies the subscriber, contains the subscriber's
public key, identifies the certificate's operational period, contains a
certificate serial number, and is digitally signed by the IA. All references
to a "Class [1, 2, or 3] certificate" or to a "certificate"
without a modifying adjective are intended as references to both "normal"
and "provisional" certificates, unless the context requires otherwise.
References to a certificate refer exclusively to certificates issued by
an IA. (Cf., PROVISIONAL CERTIFICATE)
CERTIFICATE APPLICANT
A person or authorized agent that requests the issuance of a public key
certificate by an IA. (Cf., CA APPLICANT; SUBSCRIBER)
CERTIFICATE APPLICATION
A request from a certificate applicant (or authorized agent) to an IA for
the issuance of a certificate. (Cf., CERTIFICATE APPLICANT; CERTIFICATE
SIGNING REQUEST)
CERTIFICATE CHAIN
An ordered list of certificates containing an end-user subscriber certificate
and IA certificates (See VALID CERTIFICATE)
CERTIFICATE EXPIRATION
The time and date specified in the certificate when the operational period
ends, without regard to any earlier suspension or revocation.
CERTIFICATE EXTENSION
An extension field to a certificate which may convey additional information
about the public key being certified, the certified subscriber, the certificate
issuer, and/or the certification process. Standard extensions are defined
in Amendment 1 to ISO/IEC 9594-8:1995 (X.509). Custom extensions can also
be defined by communities of interest.
CERTIFICATE HIERARCHY
A VeriSign PCS domain of IAs, each categorized with respect to its role
in a "tree structure" of subordinate IAs. An IA issues and manages
certificates for end-user subscribers and/or for one or more IAs at the
next level. Note: an IA in a trust hierarchy must observe uniform practices
addressing issues such as naming, maximum number of levels, etc., to assure
integrity of the domain and thereby ensure uniform accountability, auditability,
and management through the use of trustworthy operational processes.
CERTIFICATE ISSUANCE
The actions performed by an IA in creating a certificate and notifying
the certificate applicant (anticipated to become a subscriber) listed in
the certificate of its contents.
CERTIFICATE MANAGEMENT
Certificate management includes, but is not limited to storage, dissemination,
publication, revocation, and suspension of certificates. An IA undertakes
certificate management functions by serving as a registration authority
for subscriber certificates. An IA designates issued and accepted certificates
as valid by publication.
CERTIFICATE OF AUTHENTICITY
A document issued by an authorized official of the jurisdiction in which
an acknowledgment by a notary was taken, such as the secretary of state
of a state (U.S.) to authenticate the status of a notary.
CERTIFICATE REVOCATION LIST (CRL)
A periodically (or exigently) issued list, digitally signed by an IA, of
identified certificates that have been suspended or revoked prior to their
expiration dates. The list generally indicates the CRL issuer's name, the
date of issue, the date of the next scheduled CRL issue, the suspended
or revoked certificates' serial numbers, and the specific times and reasons
for suspension and revocation.
CERTIFICATE SERIAL NUMBER
A value that unambiguously identifies a certificate generated by an IA.
CERTIFICATE SIGNING REQUEST (CSR)
A machine-readable form of a certificate application. (Cf., CERTIFICATE
APPLICATION)
CERTIFICATE SUSPENSION (See SUSPEND A CERTIFICATE)
CERTIFICATION / CERTIFY
The process of issuing a certificate by an IA.
CERTIFICATION AUTHORITY (CA)
A person (see definition for PERSON) authorized to issue certificates.
Under the VeriSign PCS, a CA is subordinate to a PCA. (Cf., REGISTRATION
AUTHORITY; TRUSTED THIRD PARTY)
CERTIFICATION PRACTICE STATEMENT (CPS)
This document, as revised from time to time (representing VeriSign's statement
of practices an IA employs in issuing certificates).
CERTIFIER (See ISSUING AUTHORITY)
CHALLENGE PHRASE
A set of numbers and/or letters that are chosen by a certificate applicant,
communicated to the IA with a certificate application, and used by the
IA to authenticate the subscriber for various purposes as required by the
CPS. A challenge phrase is also used by a secret share holder to authenticate
himself, herself, or itself to a secret share issuer.
CLASS [1, 2, OR 3] CERTIFICATE
A certificate of a specified level of trust. (See CPS
Section 2.2.)
COMMERCIAL REASONABLENESS
In the context of electronic commerce, the implementation and use of technology,
controls, and administrative and operational procedures that reasonably
ensure system and message trustworthiness.
COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE
A Class 3 certificate that is issued to organizations only and is used
for software validation. (Cf., INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE;
SOFTWARE VALIDATION)
COMMON KEY
Some systems of cryptographic hardware require arming through a secret-sharing
process and require that the last of these shares remain physically attached
to the hardware in order for it to stay armed. In this case, "common
key" refers to this last share. It is not assumed to be secret as
it is not continually in an individual's possession.
COMPROMISE
A violation (or suspected violation) of a security policy, in which an
unauthorized disclosure of, or loss of control over, sensitive information
may have occurred. (Cf., DATA INTEGRITY)
CONFIDENTIALITY
The condition in which sensitive data is kept secret and disclosed only
to authorized parties.
CONFIRM
To ascertain through appropriate inquiry and investigation. (Cf.,
AUTHENTICATION; VERIFY A DIGITAL SIGNATURE)
CONFIRMATION OF CERTIFICATE CHAIN
The process of validating a certificate chain and subsequently validating
an end-user subscriber certificate.
CONTENT INTEGRITY SERVICES
Content integrity services provide certificates to software publishers
who desire to digitally sign their software publications to facilitate
their customers' (end-users') ability to undertake software validation.
CONTROLS
Measures taken to ensure the integrity and quality of a process.
CORRESPOND
To belong to the same key pair. (See also PUBLIC KEY; PRIVATE KEY)
CROSS-CERTIFICATION
A condition in which either or both a VeriSign PCA and a non-VeriSign certificate
issuing entity (representing another certification domain) issues a certificate
having the other as the subject of that certificate.
CRYPTOGRAPHIC ALGORITHM
A clearly specified mathematical process for computation; a set of rules
that produce a prescribed result.
CRYPTOGRAPHY (Cf., PUBLIC KEY CRYPTOGRAPHY)
(i) The mathematical science used to secure the confidentiality and authentication
of data by replacing it with a transformed version that can be reconverted
to reveal the original data only by someone holding the proper cryptographic
algorithm and key.
(ii) A discipline that embodies the principles, means, and methods for
transforming data in order to hide its information content, prevent its
undetected modification, and/or prevent its unauthorized uses.
CRYPTOMODULE
A trustworthy implementation of a cryptosystem which safely performs encryption
and decryption of data.
D
DATA
Programs, files, and other information stored in, communicated, or processed
by a computer.
DATABASE
A set of related information created, stored, or manipulated by a computerized
management information system.
DATA CONFIDENTIALITY (See CONFIDENTIALITY)
DATA INTEGRITY
A condition in which data has not been altered or destroyed in an unauthorized
manner. (See also THREAT; cf., COMPROMISE)
DEMO CERTIFICATE
A certificate issued by an IA to be used exclusively for demonstration
and presentation purposes and not for any secure or confidential communications.
Demo certificates may be used by authorized persons only.
DENIAL OF SERVICE (See AVAILABILITY)
DIGITAL IDSM (See CERTIFICATE)
A VeriSign service mark and brand name for a certificate.
DIGITAL SIGNATURE
A transformation of a message using an asymmetric cryptosystem such that
a person having the initial message and the signer's public key can accurately
determine whether the transformation was created using the private key
that corresponds to the signer's public key and whether the message has
been altered since the transformation was made.
DISTINGUISHED NAME
A set of data that identifies a real-world entity, such as a person in
a computer-based context. (e.g., countryName=US, state=California,
organizationName=Electronic Inc., commonName=JohnDoe).
DOCUMENT
A record consisting of information inscribed on a tangible medium such
as paper rather than computer-based information. (Cf., MESSAGE;
RECORD)
E-F
ELECTRONIC MAIL ("E-MAIL")
Messages sent, received or forwarded in digital form via a computer-based
communication mechanism.
EMPLOYEE IN GOOD STANDING
A non-probationary employee that has not been terminated or suspended,
and is not the subject of pending disciplinary action, by his or her employer.
ENCRYPTION
The process of transforming plaintext data into an unintelligible form
(ciphertext) such that the original data either cannot be recovered (one-way
encryption) or cannot be recovered without using an inverse decryption
process (two-way encryption).
END-USER SUBSCRIBER
A subscriber which is not also an IA.
ENHANCED NAMING
The use of an extended organization field (OU=) in an X.509 v3 certificate.
ENROLLMENT
The process of a certificate applicant's applying for a certificate.
EXPORT CONTROL CERTIFICATE
A certificate-based service that allows approved server certificate subscribers
to operate in a strong encryption mode, and as a result, allows a browser
accessing such a server to also operate in such strong encryption mode.
EXTENSIONS
Extension fields in X.509 v3 certificates. (See X.509)
FILE TRANSFER PROTOCOL (FTP)
The application protocol that offers file system access from the Internet
suite of protocols.
FREE CERTIFICATE
A certificate issued by an IA such that the IA does not charge the subscriber
a fee for the certificate or otherwise receive compensation.
FTP (See FILE TRANSFER PROTOCOL)
G-H
GENERATE A KEY PAIR
A trustworthy process of creating private keys during certificate application
whose corresponding public key are submitted to the applicable IA during
certificate application in a manner that demonstrates the applicant's capacity
to use the private key.
HASH (HASH FUNCTION)
An algorithm that maps or translates one set of bits into another (generally
smaller) set in such a way that:
i. A message yields the same result every time the algorithm is executed using the same message as input.
ii. It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm.
iii. It is computationally infeasible to find two different messages that produce the same hash result using the same algorithm.
I
IA CERTIFICATE
A certificate issued by an authorized superior IA to a subordinate IA.
(See SUPERIOR IA; SUBORDINATE IA; cf., CERTIFICATE)
IDENTIFICATION/IDENTITY
The process of confirming the identity of a person. Identification is facilitated
in public key cryptography by means of certificates.
IDENTITY
A unique piece of information that marks or signifies a particular entity
within a domain. Such information is only unique within a particular domain.
INCORPORATE BY REFERENCE
To make one message a part of another message by identifying the message
to be incorporated, with information that enables the receiving party to
access and obtain the incorporated message in its entirety, and by expressing
the intention that it be part of the incorporating message. Such an incorporated
message shall have the same effect as if it had been fully stated in the
message to the extent permitted by law.
INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE
A Class 2 certificate that is issued to individuals only and is used for
software validation. (Cf., COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE;
SOFTWARE VALIDATION)
INTEGRITY (See DATA INTEGRITY)
ISSUING A CERTIFICATE (See CERTIFICATE ISSUANCE)
ISSUER (See ISSUING AUTHORITY)
ISSUING AUTHORITY (IA)
Within VeriSign's PCS, the VR, PCA, or CA (or subordinate CA) that issues,
suspends, or revokes a certificate. IAs are identified by a distinguished
name on all certificates and CRLs they issue. With prior approval by VeriSign,
an IA may delegate the responsibility to evaluate and approve or reject
certificate applications to one or more LRAs not owned or operated by the
IA under CPS Section 2.1.3. When such delegation occurs and where the context
requires, the term "IA" in this CPS shall include such LRAs with
respect to the delegating IA's obligations, representations, warranties,
and disclaimers.
J-L
KEY GENERATION
The trustworthy process of creating a private key/public key pair. The
public key is supplied to an IA during the certificate application process.
KEY PAIR
A private key and its corresponding public key. The public key can verify
a digital signature created by using the corresponding private key. In
addition, depending upon the type of algorithm implemented, key pair components
can also encrypt and decrypt information for confidentiality purposes,
in which case a private key uniquely can reveal information encrypted by
using the corresponding public key.
LOCAL REGISTRATION AUTHORITY (LRA)
An entity approved by an IA to assist persons in applying for certificates,
revoking (or where authorized, suspending) their certificates, or both
and also approving such applications. An LRA is not the agent of a certificate
applicant. An LRA may not delegate the authority to approve certificate
applications other than to authorized LRAAs of the LRA. (Cf., LOCAL
REGISTRATION AUTHORITY ADMINISTRATOR)
LOCAL REGISTRATION AUTHORITY ADMINISTRATOR (LRAA)
An employee of an LRA that is responsible for carrying out the functions
of an LRA. (Cf., LOCAL REGISTRATION AUTHORITY)
M-N
MESSAGE
A digital representation of information; a computer-based record. A subset
of RECORD. (Cf., RECORD)
MESSAGE INTEGRITY (See DATA INTEGRITY)
MICROSOFT AUTHENTICODETM (See SOFTWARE VALIDATION)
NAME
A set of identifying attributes purported to describe an entity of a certain
type.
NAMING
Naming is the assignment of descriptive identifiers to objects of a particular
type by an authority which follows specific issuing procedures and maintains
specific records pertinent to an identified registration process. (Cf.,
NAMING AUTHORITY; VERISIGN NAMING AUTHORITY)
NAMING AUTHORITY
A body which executes naming policy and procedures and has control over
the registration and assignment of primitive (basic) names to objects of
a particular class. (Cf., NAMING; VERISIGN NAMING AUTHORITY)
NETSURESM PROTECTION PLAN
The VeriSign branded service that provides enhanced warranty protection
and that is backed by USF&G (United States Fidelity and Guarantee Insurance
Company). This service will become available shortly.
NONREPUDIATION
Provides proof of the origin or delivery of data in order to protect the
sender against a false denial by the recipient that the data has been received
or to protect the recipient against false denial by the sender that the
data has been sent. Note: Only a trier of fact (someone with the authority
to resolve disputes) can make an ultimate determination of nonrepudiation.
By way of illustration, a digital signature verified pursuant to this CPS
can provide proof in support of a determination of nonrepudiation by a
trier of fact, but does not by itself constitute nonrepudiation.
NONVERIFIED SUBSCRIBER INFORMATION (NSI)
Information submitted by a certificate applicant to an IA, and included
within a certificate, which has not been confirmed by the IA and for which
the IA provides no assurances other than that the information was submitted
by the certificate applicant. Information such as titles, professional
degrees, accreditations, and Registration Field Information are considered
NSI unless otherwise indicated.
NON-VERISIGN IA
An IA that is not owned or operated by VeriSign. (See CPS
Section 3.1; Cf., ISSUING AUTORITY)
NON-VERISIGN ORGANIZATIONAL LRA
An LRA that is not owned or operated by VeriSign and is restricted to performing LRA functions in connection with certificates issued to affiliated individuals that are affiliated with it. (See CPS Section 2.5.4; Cf., LOCAL REGISTRATION AUTHORITY; AFFILIATED INDIVIDUALS)
NORMAL CERTIFICATE (See CERTIFICATE)
NOTARY
A natural person authorized by an executive governmental agency to perform
notarial services such as taking acknowledgments, administering oaths or
affirmations, witnessing or attesting signatures, and noting protests of
negotiable instruments. In Japan, a natural person appointed and authorized
by the Minister of legal Affairs to perform such duties as prescribed in
the Notary Public Law.
NOTICE
The result of notification in accordance with this CPS. (See CPS
Section 12.10)
NOTIFY
To communicate specific information to another person as required by this
CPS and applicable law.
O-P
ON-LINE
Communications that provide a real-time connection to the VeriSign PCS.
OPERATIONAL CERTIFICATE
A certificate which is within its operational period at the present date
and time or at a different specified date and time, depending on the context.
OPERATIONAL PERIOD
The period starting with the date and time a certificate is issued (or
on a later date and time certain if stated in the certificate) and ending
with the date and time on which the certificate expires or is earlier suspended
or revoked.
ORGANIZATION
An entity with which a user is affiliated. An organization may also be
a user.
ORIGINATOR
A person by whom (or on whose behalf) a data message is purported to have
been generated, stored, or communicated. It does not include a person acting
as an intermediary.
PARTIES
The entities whose rights and obligations are intended to be controlled
by this CPS. These entities may include certificate applicants, IAs, subscribers,
and relying parties. (See USER; ISSUING AUTHORITY; RELYING PARTY)
PASSWORD (PASS PHRASE; PIN NUMBER)
Confidential authentication information, usually composed of a string of
characters used to provide access to a computer resource.
PC CARD (See also SMART CARD)
A hardware token compliant with standards promulgated by the Personal Computer
Memory Card International Association (PCMCIA) providing expansion capabilities
to computers, including the facilitation of information security.
PERSON
A human being or an organization (or a device under the control of a human
being or organization) capable of signing or verifying a message, either
legally or as a matter of fact. (A synonym of ENTITY.)
PERSONAL PRESENCE
The act of appearing (physically rather than virtually or figuratively)
before an LRA or its designee and proving one's identity as a prerequisite
to certificate issuance under certain circumstances.
PKI HIERARCHY
A set of IAs whose functions are organized according to the principle of
delegation of authority and related to each other as subordinate and superior
IA.
PLEDGE (See SOFTWARE PUBLISHER'S PLEDGE)
PRIMARY CERTIFICATION AUTHORITY (PCA)
A person that establishes practices for all certification authorities and
users within its domain.
PRIVATE KEY
A mathematical key (kept secret by the holder) used to create digital signatures
and, depending upon the algorithm, to decrypt messages or files encrypted
(for confidentiality) with the corresponding public key. (See also
PUBLIC KEY CRYPTOGRAPHY; PUBLIC KEY)
PROVISIONAL CERTIFICATE
A Class 2 certificate during the first 21 days of its operational period
that is issued upon the successful completion of all required IA-internal
validation procedures with respect to a Class 2 certificate application
(in accordance with CPS Section 5.1). The provisional
state denotes that further validation of the certificate application regarding
the subscriber's identity will be completed through a postal address "mail-back"
procedure (see CPS Section 5.1.4
- Postal Address Confirmation). (Cf., CERTIFICATE)
PUBLIC CERTIFICATION SERVICES (See VERISIGN PUBLIC CERTIFICATION SERVICES)
PUBLIC KEY
A mathematical key that can be made publicly available and which is used
to verify signatures created with its corresponding private key. Depending
on the algorithm, public keys are also used to encrypt messages or files
which can then be decrypted with the corresponding private key. (See
also PUBLIC KEY CRYPTOGRAPHY; PRIVATE KEY)
PUBLIC KEY CERTIFICATE (See CERTIFICATE)
PUBLIC KEY CRYPTOGRAPHY (Cf.,CRYPTOGRAPHY)
A type of cryptography that uses a key pair of mathematically related cryptographic
keys. The public key can be made available to anyone who wishes to use
it and can encrypt information or verify a digital signature; the private
key is kept secret by its holder and can decrypt information or generate
a digital signature.
PUBLIC KEY INFRASTRUCTURE (PKI)
The architecture, organization, techniques, practices, and procedures that
collectively support the implementation and operation of a certificate-based
public key cryptographic system. The PKI consists of systems which collaborate
to provide and implement the PCS and possibly other related services.
PUBLIC/PRIVATE KEY PAIR (See PUBLIC KEY; PRIVATE KEY; KEY PAIR)
PUBLISH / PUBLICATION
To record or file information in the VeriSign repository and optionally
in one or more other repositories in order to disclose and make publicly
available such information in a manner that is consistent with this CPS
and applicable law.
Q-R
QUALIFIER (See VERISIGN QUALIFIER)
RECIPIENT (of a DIGITAL SIGNATURE)
A person who receives a digital signature and who is in a position to rely
on it, whether or not such reliance occurs. (Cf., RELYING PARTY)
RECORD
Information that is inscribed on a tangible medium (a document) or stored
in an electronic or other medium and retrievable in perceivable form. The
term "record" is a superset of the two terms "document"
and "message". (Cf., DOCUMENT; MESSAGE)
REGISTERED STRING
A class of object subject to registration and recording procedures which
demonstrates the value is unambiguous within the records of the registration
authority. The type of value recorded is a string of characters.
REGISTRATION AUTHORITY
An entity trusted to register other entities and assign them a relative
distinguished value such as a distinguished name or, a hash of a certificate.
A registration scheme for each registration domain ensures that each registered
value is unambiguous within that domain. (Cf., CERTIFICATION AUTHORITY)
REGISTRATION FIELD INFORMATION
Country, zip code, age, and gender data included within designated certificates
at the option of the subscriber.
RELATIVE DISTINGUISHED NAME (RDN)
A set of attributes compromising an entity's distinguished name that distinguishes
the entity from others of the same type.
RELY / RELIANCE (on a CERTIFICATE and DIGITAL
SIGNATURE)
To accept a digital signature and act in a manner that could be detrimental
to oneself were the digital signature to be ineffective. (Cf., RELYING
PARTY; RECIPIENT)
RELYING PARTY
A recipient who acts in reliance on a certificate and digital signature.
(Cf., RECIPIENT; RELY OR RELIANCE (on a CERTIFICATE and DIGITAL
SIGNATURE))
RENEWAL
The process of obtaining a new certificate of the same class and type for
the same subject once an existing certificate has expired.
REPOSITORY
A database of certificates and other relevant information accessible on-line.
REPUDIATION (See also NONREPUDIATION)
The denial or attempted denial by an entity involved in a communication
of having participated in all or part of the communication.
REVOKE A CERTIFICATE
The process of permanently ending the operational period of a certificate
from a specified time forward.
ROOT
The IA that issues the first certificate in a certification chain. The
root's public key must be known in advance by a certificate user in order
to validate a certification chain. The root 's public key is made trustworthy
by some mechanism other than a certificate, such as by secure physical
distribution.
RSA
A public key cryptographic system invented by Rivest, Shamir & Adelman.
S
SECRET SHARE
A portion of a cryptographic secret split among a number of physical tokens.
SECRET SHARE HOLDER
An authorized holder of a physical token containing a secret share.
SECRET SHARE ISSUER
The person designated by an IA to create and distribute secret shares.
SECRET SHARING (See also SECRET SHARE)
The practice of distributing secret shares of a private key to a number
of secret share holders; threshold-based splitting of keys.
SECURE CHANNEL
A cryptographically enhanced communications path that protects messages
against perceived security threats.
SECURITY
The quality or state of being protected from unauthorized access or uncontrolled
losses or effects. Absolute security is impossible to achieve in practice
and the quality of a given security system is relative. Within a state-model
security system, security is a specific "state" to be preserved
under various operations.
SECURITY POLICY
A document which articulates requirements and good practices regarding
the protections maintained by a trustworthy system in support of the PCS.
SECURITY SERVICES
Services provided by a set of security frameworks and performed by means
of certain security mechanisms. Such services include, but are not limited
to, access control, data confidentiality, and data integrity.
SELF-SIGNED PUBLIC KEY
A data structure that is constructed the same as a certificate but that
is signed by its subject. Unlike a certificate, a self-signed public key
cannot be used in a trustworthy manner to authenticate a public key to
other parties. A PCA self-signed public key digitally signed by the VR
shall constitute a certificate. (Cf., CERTIFICATE)
SERIAL NUMBER (See CERTIFICATE SERIAL NUMBER)
SERVER
A computer system that responds to requests from client systems.
SIGN
To create a digital signature for a message, or to affix a signature to
a document, depending upon the context.
SIGNATURE
A method that is used or adopted by a document originator to identify himself
or herself, which is either accepted by the recipient or its use is customary
under the circumstances. (Cf., DIGITAL SIGNATURE)
SIGNER
A person who creates a digital signature for a message, or a signature
for a document.
SMART CARD
A hardware token that incorporates one or more integrated circuit (IC)
chips to implement cryptographic functions and that possesses some inherent
resistance to tampering.
S/MIME
A specification for E-mail security exploiting a cryptographic message
syntax in an Internet MIME environment.
SOFTWARE PUBLISHER'S CERTIFICATE REVOCATION STATUS SERVICE
An automated, on-line status service used to support software validation,
provided exclusively for software publisher's certificates. The service
is automatically (and exclusively) invoked upon the downloading of software
digitally signed with a software publisher's certificate. That is, upon
receipt of such digitally signed software, the Web browser's authentication
module automatically establishes a connection to VeriSign and queries a
VeriSign server to validate the software publisher's certificate. The service
returns to the Web browser a digitally signed status message. The service's
data is VeriSign repository-based and is updated daily. The service is
exclusively available to users of Microsoft Internet Explorer Web browsers.
(Cf., SOFTWARE PUBLISHER'S PLEDGE; SOFTWARE VALIDATION)
SOFTWARE PUBLISHER
A subscriber who obtained a special certificate used to digitally sign
software with the Microsoft AuthenticodeTM system. Subscribers
may also obtain other Class 2 and 3 certificates that may be used to sign
content, including software, but the subscribers of such other certificates
are not software publishers as defined in the CPS. (Cf., INDIVIDUAL
SOFTWARE PUBLISHER CERTIFICATE; COMMERCIAL SOFTWARE PUBLISHER CERTIFICATE)
SOFTWARE PUBLISHER'S CERTIFICATE REVOCATION STATUS SERVICE
An automated, on-line status service used to support software validation,
provided exclusively for software publisher's certificates. The service
is automatically (and exclusively) invoked upon the downloading of software
digitally signed with a software publisher's certificate. That is, upon
receipt of such digitally signed software, the Web browser's authentication
module automatically establishes a connection to VeriSign and queries a
VeriSign server to validate the software publisher's certificate. The service
returns to the Web browser a digitally signed status message. The service's
data is VeriSign repository-based and is updated daily. The service is
exclusively available to users of Microsoft Internet Explorer Web browsers.
(Cf., SOFTWARE PUBLISHER'S PLEDGE; SOFTWARE VALIDATION)
SOFTWARE PUBLISHER'S PLEDGE
The representations and guarantees made by individual and commercial software
publishers as stated in the CPS. (See CPS
Section 4.3)
SOFTWARE VALIDATION
VeriSign services which provide assurances in accordance with the CPS and
the software publisher's pledge (see CPS
Section 4.3) of an individual or commercial software publisher (for
Microsoft AuthenticodeTM Only) that digitally-signed software
was duly published by the subject of the corresponding VeriSign-issued
certificate and has not been modified since it was digitally signed. (Cf.,
INDIVIDUAL SOFTWARE PUBLISHER CERTIFICATE; COMMERCIAL SOFTWARE PUBLISHER
CERTIFICATE; SOFTWARE PUBLISHER'S PLEDGE; VALIDATION (OF CERTIFICATE APPLICATION))
SUBJECT (OF A CERTIFICATE)
The holder of a private key corresponding to a public key. The term "subject"
can refer to both the equipment or device that holds a private key and
to the individual person, if any, who controls that equipment or device.
A subject is assigned an unambiguous name which is bound to the public
key contained in the subject's certificate.
SUBJECT NAME
The unambiguous value in the subject name field of a certificate which
is bound to the public key.
SUBORDINATE IA
Within the VeriSign PKI architecture's hierarchy of IAs, each IA is either
the VR, a PCA, a CA or a "subordinate CA". The subordinate IA
of the VR is a PCA; the PCA's subordinate IA is a CA; a CA's subordinate
IA is a subordinate CA. If present, a subordinate CA's subordinate IA is
yet another subordinate CA. (Cf., SUPERIOR IA)
SUBSCRIBER
A person who is the subject of, has been issued a certificate, and is capable
of using, and authorized to use, the private key that corresponds to the
public key listed in the certificate. (See also SUBJECT; cf.,
CERTIFICATE APPLICANT; USER)
SUBSCRIBER AGREEMENT
The agreement (See Subscriber Agreement)
executed between a subscriber and an IA for the provision of designated
public certification services in accordance with this CPS.
SUBSCRIBER INFORMATION
Information supplied to a certification authority as part of a certificate
application. (Cf., CERTIFICATE APPLICATION)
SUPERIOR IA
Within the VeriSign PKI architecture's hierarchy of IAs, each IA is either
the VR, a PCA, a CA or a "subordinate CA". The superior IA of
a subordinate CA is either another subordinate CA or a CA; a CA's superior
is a PCA; a PCA's superior is either the VR, or itself. The VR is its own
superior IA. (Cf., SUBORDINATE IA)
SUSPEND A CERTIFICATE A temporary "hold" placed on the effectiveness of the operational period of a certificate without permanently revoking the certificate. A certificate suspension is invoked by, e.g., a CRL entry with a reason code. (Cf., REVOKE A CERTIFICATE)
T
TEST CERTIFICATE
A certificate issued by an IA for the limited purpose of internal technical
testing. Test certificates may be used by authorized persons only. (See
CPS Section 2.2.4).
THREAT
A circumstance or event with the potential to cause harm to a system, including
the destruction, unauthorized disclosure, or modification of data and/or
denial of service.
TIME STAMP
A notation that indicates (at least) the correct date and time of an action,
and identity of the person or device that sent or received the time stamp.
TOKEN
A hardware security token containing a user's private key(s), public key
certificate, and, optionally, a cache of other certificates, including
all certificates in the user's certification chain.
TRANSACTION
A computer-based transfer of business information which consists of specific
processes to facilitate communication over global networks.
TRUST
Generally, the assumption that an entity will behave substantially as expected.
Trust may apply only for a specific function. The key role of this term
in an authentication framework is to describe the relationship between
an authenticating entity and an IA. An authenticating entity must be certain
that it can trust the IA to create only valid and reliable certificates,
and users of those certificates rely upon the authenticating entity's determination
of trust.
TRUSTED PERSON
A person who serves in a trusted position and is qualified to serve in
it in accordance with this CPS. (Cf., TRUST; TRUSTED POSITION; TRUSTED
THIRD PARTY; TRUSTWORTHY SYSTEM)
TRUSTED POSITION
A role within an IA that includes access to or control over cryptographic
operations that may materially affect the issuance, use, suspension, or
revocation of certificates, including operations that restrict access to
a repository.
TRUSTED ROOT
A trusted root is a public key which has been confirmed as bound to an
IA by a user or system administrator. Software and systems implementing
authentication based on public cryptography and certificates assume that
this key value has been correctly obtained. It is confirmed by always accessing
it from a trusted system repository to which only identified and trusted
administrators have modification authorizations.
TRUSTED THIRD PARTY
In general, an independent, unbiased third party that contributes to the
ultimate security and trustworthiness of computer-based information transfers.
A trusted third party does not connote the existence of a trustor-trustee
or other fiduciary relationship. (Cf., TRUST)
TRUSTWORTHY SYSTEM
Computer hardware, software, and procedures that are reasonably secure
from intrusion and misuse; provide a reasonable level of availability,
reliability, and correct operation; are reasonably suited to performing
their intended functions; and enforce the applicable security policy. A
trustworthy system is not necessarily a "trusted system" as recognized
in classified government nomenclature.
TYPE (OF CERTIFICATE)
The defining properties of a certificate which limit its intended purpose
to a class of applications uniquely associated with that type.
U-V
UNAMBIGUOUS NAME (See DISTINGUISHED NAME)
UNIFORM RESOURCE LOCATOR (URL)
A standardized device for identifying and locating certain records and
other resources located on the World Wide Web.
USER
An authorized entity that uses a certificate as applicant, subscriber,
recipient or relying party, but not including the IA issuing the certificate.
(Cf., CERTIFICATE APPLICANT; ENTITY; PERSON; SUBSCRIBER)
VALID CERTIFICATE
A certificate issued by an IA and accepted by the subscriber listed in
it.
VALIDATE A CERTIFICATE (i.e., of an
END-USER SUBSCRIBER CERTIFICATE)
The process performed by a recipient or relying party to confirm that an
end-user subscriber certificate is valid and was operational at the date
and time a pertinent digital signature was created.
VALIDATE A CERTIFICATE CHAIN
For each certificate in a chain, the process performed by the recipient
or relying party to authenticate the public key (in each certificate),
confirm that each certificate is valid, was issued within the operational
period of the corresponding IA certificate, and that all parties (IAs,
end-user subscribers, recipients, and relying parties) have operated in
accordance with this CPS as to all certificates in the chain.
VALIDATION (OF CERTIFICATE APPLICATION)
The process performed by the IA (or its LRA) following submission of a
certificate application as a prerequisite to approval of the application
and the issuance of a certificate. (Cf., AUTHENTICATION; SOFTWARE
VALIDATION)
VALIDATION (OF SOFTWARE) (See SOFTWARE VALIDATION)
VERIFY (a DIGITAL SIGNATURE)
In relation to a given digital signature, message, and public key, to determine
accurately that (i) the digital signature was created during the operational
period of a valid certificate by the private key corresponding to the public
key contained in the certificate and (ii) the associated message has not
been altered since the digital signature was created. (Cf., AUTHENTICATION;
CONFIRM)
VERISIGN NAMING AUTHORITY
A VeriSign registration authority that establishes and enforces controls
over and has decision-making authority regarding the issuance of relative
distinguished names for all IAs (but not for end-user subscribers). (Cf.,
NAMING AUTHORITY).
VERISIGN PUBLIC CERTIFICATION SERVICES (PCS)
The certification system provided by VeriSign and any VeriSign-authorized
IAs described in this CPS.
VERISIGN QUALIFIER
A data syntax facilitating the representation of a set of values which
restrict the meaning of the VeriSign CPS. The qualifier value augments
the standard certificate policy extension present in all certificates according
to the rules defined by X.509 for that extension type.
VERISIGN ROOT (VR)
An IA that registers PCAs by registering the self-signed public key of
each PCA.
VERISIGN SECURITY POLICY (VSP)
The document describing VeriSign's internal security policies.
W-Z
WORLD WIDE WEB (WWW)
A hypertext-based, distributed information system in which users may create,
edit, or browse hypertext documents. A graphical document publishing and
retrieval medium; a collection of linked documents that reside on the Internet.
WRITING
Information in a record that is accessible and usable for subsequent reference.
X.509
The ITU-T (International Telecommunications Union-T) standard for certificates.
X.509 v3 refers to certificates containing or capable of containing extensions.