authentication. The use of a password, certificate, personal identification number (PIN), or other information to validate an identity over a computer network. See also password-based authentication, certificate-based authentication, client authentication, server authentication.
certificate. The digital equivalent of an ID card. A certificate specifies the name of an individual, company, or other entity and certifies that a public key, which is included in the certificate, belongs to that entity. When you digitally sign a message or other data, the digital signature for that message is created with the aid of the private key that corresponds to the public key in your certificate. A certificate is issued and digitally signed by a certificate authority (CA). A certificate's validity can be verified by checking the CA's digital signature. Also called digital ID, digital passport, public-key certificate X.509 certificate, and security certificate. See also public-key cryptography.
certificate authority (CA). A service that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify. A CA also renews and revokes certificates and generates a list of revoked certificates at regular intervals. CAs can be independent vendors (such as the CAs listed at Client Certificates) or a person or organization using certificate-issuing server software (such as Netscape Certificate Management System). See also certificate, certificate revocation list (CRL).
certificate backup password.
A password that protects a certificate that you are backing up or have previously backed up. Certificate Manager asks you to set this password when you back up a certificate, and requests it when you attempt to restore a certificate that has previously been backed up.
certificate chain. A hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a certificate authority (CA) and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA and so on up to a root CA.
A unique number associated with a certificate. The number is not part of the certificate itself but is produced by applying a mathematical function to the contents of the certificate. If the contents of the certificate change, even by a single character, the function produces a different number. Certificate fingerprints can therefore be used to verify that certificates have not been tampered with.
certificate revocation list (CRL). A list of revoked certificates that is generated and signed by a certificate authority (CA). You can download the latest CRL to your browser or to a server, then check against it to make sure that certificates are still valid before permitting their use for authentication.
certificate verification. When Certificate Manager verifies a certificate, it confirms that the digital signature was created by a CA whose own CA certificate is both on file with Certificate Manager and marked as trusted for issuing that kind of certificate. It also confirms that the certificate being verified has not itself been marked as untrusted. Finally, if the Online Certificate Status Protocol (OCSP) has been activated, Certificate Manager also performs an online check. It does so by looking up the certificate in a list of valid certificates maintained at a URL that is specified either in the certificate itself or in the browser's validation preferences. If any of these checks fail, Certificate Manager marks the certificate as unverified and won't recognize the identity it certifies.
client. Software (such as browser software) that sends requests to and receives information from a server, which is usually running on a different computer. A computer on which client software runs is also described as a client.
client authentication. The process of identifying a client to a server, for example with a name and password or with a client SSL certificate and some digitally signed data. See also Secure Sockets Layer (SSL), server authentication.
client SSL certificate. A certificate that a client (such as browser software) presents to a server to authenticate the identity of the client (or the identity of the person using the client) using the Secure Sockets Layer (SSL) protocol. See also client authentication.
cryptographic algorithm. A set of rules or directions used to perform cryptographic operations such as encryption and decryption. Sometimes called a cipher.
cryptography. The art and practice of scrambling (encrypting) and unscrambling (decrypting) information. For example, cryptographic techniques are used to scramble an unscramble information flowing between commercial web sites and your browser. See also public-key cryptography.
digital signature. A code created from both the data to be signed and the private key of the signer. This code is unique for each new piece of data. Even a single comma added to a message changes the digital signature for that message. Successful validation of your digital signature by appropriate software not only provides evidence that you approved the transaction or message, but also provides evidence that the data has not changed since you digitally signed it. A digital signature has nothing to do with a handwritten signature, although it can sometimes be used for similar legal purposes. See also nonrepudiation, tamper detection.
distinguished name (DN).
A specially formatted name that uniquely identifies the subject of a certificate.
Surreptitious interception of information sent over a network by an entity for which the information is not intended.
encryption certificate. A certificate whose public key corresponds to a private key used for encryption only. Encryption certificates are not used for signing operations. See also dual key pairs, signing certificate.
encryption key. A private key used for encryption only. An encryption key and its equivalent public key, plus a signing key and its equivalent public key, constitute a dual key pairs.
FIPS PUBS 140-1.
Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a US government standard for implementations of cryptographic modules--that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures). Many products sold to the US government must comply with one or more of the FIPS standards.
Lightweight Directory Access Protocol (LDAP).
A protocol for accessing directory services across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories.
master password. A password used by Certificate Manager to protect the master key and/or private keys stored on a security device. Certificate Manager needs to access your private keys, for example, when you sign email messages or use one of your own certificates to identify yourself to a web site. It needs to access your master key when it encrypts or decrypts information on behalf of another applicationfor example, when Password Manager needs to store or access your email password. You can set or change your master password from the My Certificates tab of the main Certificate Manager window. Each security device requires a separate master password. See also private key, master key.
misrepresentation. Presentation of an entity as a person or organization that it is not. For example, a web site might pretend to be a furniture store when it is really just a site that takes credit card payments but never sends any goods. See also spoofing.
Online Certificate Status Protocol (OCSP).
A set of rules that Certificate Manager follows to perform an online check of a certificate's validity each time the certificate is used. This process involves checking the certificate against a list of valid certificates maintained at a specified web site. Your computer must be online for OCSP to work.
PKCS #11 module. A program on your computer that manages cryptographic services such as encryption and decryption using the PKCS #11 standard. Also called cryptographic modules, cryptographic service providers, or security modules, PKCS #11 modules control either hardware or software devices. A PKCS #11 module always controls one or more slots, which may be implemented as some form of physical reader (for example, for reading smart cards) or in software. Each slot for a PKCS #11 module can in turn contain a security device (also called token), which is the hardware or software device that provides cryptographic services and stores certificates and keys. Certificate Manager provides two built-in PKCS #11 modules. You may install additional modules on your computer to control smart card readers or other hardware devices.
public key. One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a certificate. It is typically used to encrypt data sent to the public key's owner, who then decrypts the data with the corresponding private key.
public-key cryptography. A set of well-established techniques and standards that allow an entity (such as a person, an organization, or hardware such as a router) to verify its identity electronically or to sign and encrypt electronic data. Two keys are involved: a public key and a private key. The public key is published as part of a certificate, which associates that key with a particular identity. The corresponding private key is kept secret. Data encrypted with the public key can be decrypted only with the private key.
public-key infrastructure (PKI).
The standards and services that facilitate the use of public-key cryptography and certificates in a networked environment.
Secure Sockets Layer (SSL). A protocol that allows mutual authentication between a client and a server for the purpose of establishing an authenticated and encrypted connection. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. The new Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL. See also authentication, encryption.
security device. A hardware or software device that provides cryptographic services such as encryption and decryption and can store certificates and keys. A smart card is one example of a hardware security device. Personal Security Manager contains its own internal security device, called the PSM Private Keys security device, that is implemented in software. Each security device is protected by its own master password.
server. Software (such as software that serves up web pages) that receives requests from and sends information to a client, which is usually running on a different computer. A computer on which server software runs is also described as a server.
signing certificate. A certificate whose corresponding private key is used to sign transmitted data, so that the receiver can verify the identity of the sender. Certificate authorities (CAs) often issue a signing certificate that will be used to sign email messages at the same time as an encryption certificate that will be used to encrypt email messages. See also dual key pairs, digital signature.
signing key. A private key used for signing only. A signing key and its equivalent public key, together with an encryption key and its equivalent public key, constitute dual key pairs.
slot. A piece of hardware, or its equivalent in software, that is controlled by a PKCS #11 module and designed to contain a security device.
smart card. A small device, typically about the size of a credit card, that contains a microprocessor and is capable of storing cryptographic information (such as keys and certificates) and performing cryptographic operations. Smart cards use the PKCS #11 standard. A smart card is one kind of security device.
software security device. The default security device used by Certificate Manager to store private keys associated with your certificates. In addition to private keys, the software security device stores the master key used by Password Manager to encrypt email passwords, web site passwords, and other sensitive information. See also private key, master key, and Password Manager
spoofing. Pretending to be someone else. For example, a person can pretend to have the email address email@example.com, or a computer can identify itself as a site called www.mozilla.com when it is not. Spoofing is one form of misrepresentation.
subject. The entity (such as a person, organization, or router) identified by a certificate. In particular, the subject field of a certificate contains the certified entity's subject name and other characteristics.
An encryption method that uses a single cryptographic key to both encrypt and decrypt a given message.
trust. Confident reliance on a person or other entity. In the context of public-key infrastructure (PKI), trust usually refers to the relationship between the user of a certificate and the certificate authority (CA) that issued the certificate. If you use Certificate Manager to specify that you trust a CA, Certificate Manager trusts valid certificates issued by that CA unless you specify otherwise in the settings for individual certificates. You use the Authorities tab in Certificate Manager to specify the kinds of certificates you do or don't trust specific CAs to issue.
Copyright © 1994-2001 Netscape Communications Corporation.