Glossary

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

A
Attribute   A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name, phone number, and group affiliation.
Attribute Assertion   A mechanism for associating specific attributes with a user.
Attribute Authority (AA)   The Shibboleth software service that asserts the requesting individual's attributes by creating an attribute assertion and then digitally signing it. The receiving online Service Provider must be able to validate this signature.
Attribute Authority Subject DN   The distinguished name of the Attribute Authority.
Attribute Authority URL   The Internet address of the Attribute Authority.
Attribute Release Policy (ARP)   Rules that an AA follows when deciding whether or not to release an attribute and its value(s)
Audit   An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.
Authentication (AuthN)   The security measure by which a person transmits and validates his or her association with an electronic identifier. An example of authentication is submitting a password that is associated with a user account name.
Authorization (AuthZ)   The process for determining a specific person's eligibility to gain access to a resource or service, a right or permission granted to access an online system.

C
Carnegie Classification   The Carnegie Classification of Institutions of Higher Education is a taxonomy of U.S. higher education institutions. The 2000 Carnegie Classification includes all colleges and universities in the United States that are degree-granting and accredited by an agency recognized by the U.S. Secretary of Education. The 2000 edition classifies institutions based on their degree-granting activities from 1995-96 through 1997-98. http://www.carnegiefoundation.org/Classification/CIHE2000/defNotes/Definitions.htm
Certificate Authority (CA)   A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption.
Certificate Policy (CP)   A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. http://www.ietf.org/rfc/rfc3647.txt
Certification Practice Statement (CPS)   A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. http://www.ietf.org/rfc/rfc3647.txt

D
digital signature   A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.
directory   A directory is a specialized database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations, and other resources.
Distinguished Name (DN)   Distinguished names are string representations that uniquely identify users, systems, and organizations. In general, DNs are used in LDAP-compliant directories. In certificate management systems, DNs are used to identify the owner of a certificate and the authority that issued the certificate.
domain name   A domain name is that portion of an Internet Uniform Resource Locator (URL) that fully identifies the server program that an Internet request is addressed to. InCommonFederation.org is an example of a domain name.
Domain Name Service (DNS)   An Internet service that translates domain names to and from IP addresses.

E
eduOrg   An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduOrg object class focuses on the attributes of organizations. Current documentation on the eduOrg object class is available at http://www.educause.edu/eduperson/.
eduPerson   An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.educause.edu/eduperson/.
electronic identifier   A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a a campus NetID, an employee or student ID, or a PKI certificate.
enterprise directory   An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution.
enterprise directory infrastructure   The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service.
Executive   The Executive represents the participant organization regarding all decisions and delegations of authority for the responsibilities of InCommon Participants, including but not limited to payment of invoices, and assigning any person in the trusted Administrator role who submits Certificate Signing Requests, metadata, or Certificate Revocation Requests, and other administrative duties as described herein. The Executive is authorized as such in the InCommon participation agreement or by succession from the originally named Executive. The Executive role will typically be filled by a CIO, VP of IT, or other senior administrative officer responsible for the organization's information technology assets.

F
federated identity   The management of identity information between members of a federation.
federation   A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
federation   A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.

H
Handle   A reference assigned to a user for the purpose of retrieving attributes about the user. The handle is not in any way linked to the identity of the user.
Handle Service   The Identity Provider component responsible for (indirectly) providing a handle to be used for making user attribute requests to an Identity Provider Attribute Authority.
Handle Service subject DN   The distinguished name of the Handle Service.
Handle Service URL   The Internet address of the Handle Service.
Higher Education Public Key Infrastructure (HEPKI)   See entry for Public Key Infrastructure (PKI)

I
identity credential   An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
identity database   A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases.
Identity Management System   A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials.
Identity Provider (IdP)   The originating location for a user. Previously called the Origin Site in the Shibboleth software implementation. For InCommon, an IdP is a campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants.
InCommon CA Root Profile   The description of attributes and the data required to authenticate under the InCommon Certificate Authority (CA).
InCommon federation   InCommon is a formal federation of organizations focused on creating a common framework for trust in support of research and education. The primary purpose of the InCommon federation is to facilitate collaboration through the sharing of protected network-accessible resources by means of an agreed-upon common trust fabric. InCommon participation is separate from membership in Internet2.
InQueue   InQueue is a federation of organizations who are interested in using the Shibboleth technology and exploring how federations work prior to joining a production federation such as InCommon. Participation in InQueue is open to any technically qualifying organization. http://inqueue.internet2.edu/
Issuer   The CA that issues a certificate.

L
LDAP directory   An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). LDAP is a widely adopted IETF standard directory access protocol well suited to the authentication and authorization needs of modern application architectures.
Liberty Alliance   A consortium of technology and consumer-facing organizations, formed in September 2001 to establish an open standard for federated network identity. http://www.projectliberty.org/
Lightweight Directory Access Protocol (LDAP)   An IETF standard for directory services.
Lightweight Directory Inter-exchange Format (LDIF)   A protocol for exchange of information among LDAP directories.

M
metadata   Data about data, or information known about an object in order to provide access to the object. Usually includes information about intellectual content, digital representation data, and security or rights management information.

N
namespace   A set of names in which all names are unique.
NetID   An electronic identifier created specifically for use with on-line applications, often an integer and typically with no other meaning.
nonrepudiation   Assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data.

O
open source   Software where the source code is available for anyone to extend or modify. http://www.opensource.org/

P
personal secret   Used in the context of this document, is synonymous with password, pass phrase or PIN. It enables the holder of an electronic identifier to confirm that s/he is the person to whom the identifier was issued
policies   Statements that outline the process and procedures that will be followed.
Privacy Policy   A statement to users of what information is collected and what will be done with the information after it has been collected.
Profile   Data comprising the broad set of attributes that may be maintained for an identity, and the data required to authenticate under that identity.
public key cryptography   A cryptographic technique that uses two keys: the first key is always kept secret by an entity, and the second key, which is uniquely linked to the first one, is made public. Messages created with the first key can be uniquely verified with the second key.
Public Key Infrastructure (PKI)   The set of standards and services that facilitate the use of public-key cryptography in a networked environment.

R
relying party   A recipient of a certificate who acts in reliance on that certificate and/or any digital signatures verified using that certificate. http://www.ietf.org/rfc/rfc3647.txt

S
Shibboleth^®   Software developed by Internet2 to enable the sharing of web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies that control what information about a user can be released to each destination. For more information on Shibboleth please visit http://shibboleth.internet2.edu/uses.html.

U
Uniform Resource Identifier (URI)   The name for identifying an abstract or physical resource.
Uniform Resource Locator (URL)   The address of a resource accessible on the Internet. URLs are a subset of URIs.
Uniform Resource Name (URN)   Refers to the subset of URIs that are required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable.
US Higher Education Root (USHER)   USHER is the replacement for the CREN Certificate Authority. USHER will issue Institutional Certificates to US institutions of higher education and is the certificate issuing authority for Internet2.

V
validation   The process of identification of certificate applicants.

W
Where Are You From (WAYF)   A server used by the Shibboleth software to determine what a user's home organization is.

This material is based in whole or in part on work supported by the National Science Foundation under the NSF Middleware Initiative - Grant No. ANI-0123937, OCI-0330626, OCI-0721896. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).