CA/Terminology

From MozillaWiki
< CA
Jump to: navigation, search

CA and Certificate Terminology

Certificate: An electronic document that uses a digital signature to bind a public key and an identity. Certificates are used for two primary functions within Mozilla software: to connect to an SSL-enabled web server or other SSL-enabled servers, and to read digitally signed email from another user.

Certificate Policy: A set of rules that indicates the applicability of a named Certificate to a particular community and/or PKI implementation with common security requirements.

Certification Authority: An organization that is responsible for the creation, issuance, revocation, and management of Certificates.

Certification Practice Statement: One of several documents forming the governance framework in which Certificates are created, issued, managed, and used.

Domain Validated (DV): A certificate where the CA has validated that the applicant owns or controls the domain in question, but has not otherwise validated their identity.

End-Entity Certificate: A Certificate that cannot sign other Certificates.

Extended Validation (EV): A certificate where the CA has validated the identity of the applicant to the level defined by the Extended Validation Guidelines from the CA/Browser Forum, and has encoded the results into the certificate and marked it as an EV certificate. They will also have validated that the applicant owns or controls the domain in question.

Individual Validation (IV): A certificate where the CA has validated the identity of the applicant individual to a level of rigour below that defined by the Extended Validation Guidelines, and has encoded the results into the certificate. They will also have validated that the applicant owns or controls the domain in question. Sometimes, the term "OV" is also used to cover this case. Mozilla products intentionally do not distinguish in the user interface between IV/OV and DV certificates.

Intermediate Certificate: A Certificate that is signed by either a Root Certificate or another Intermediate Certificate, and that signs either End-Entity Certificates or other Intermediate Certificates.

Multi-Factor Authentication: Authentication requiring that the user provide more than one form of verification in order to prove their identity and allow access to the system. Typically user-name and password is one form of verification. Often the second from of verification is something the user has, such as smart card, security token, phone system providing one-time-password, etc.

Network Security Services (NSS): The open source cryptographic library developed as part of the overall Mozilla project and incorporated into Firefox, Thunderbird, and other Mozilla-based products. The NSS codebase includes the Mozilla Root Store.

Organizational Validation (OV): A certificate where the CA has validated the identity of the applicant organization to a level of rigour below that defined by the Extended Validation Guidelines, and has encoded the results into the certificate. They will also have validated that the applicant owns or controls the domain in question. Mozilla products intentionally do not distinguish in the user interface between OV and DV certificates.

Personal Security Manager (PSM): The name used for the component of Firefox/Thunderbird which provides the security user interface and other functions by which Mozilla products make use of NSS.

Registration: The tasks of application processing, verification, managing requests for certificates and delivery of certificates. This does not include issuance of certificates (issuance may only be performed by the CA). RAs may nevertheless be "in-house", i.e. part of the same organization as the CA.

Registration Authority: An entity that performs Registration.

Root CA: An organization that is responsible for the creation, issuance, revocation, and management of Certificates, and whose Root Certificate is included in NSS.

Root Certificate: A self-signed Certificate issued by a Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs.

Subordinate CA: An organization that is responsible for the creation, issuance, revocation, and management of Certificates, and whose Subordinate Certificate is signed by a Root CA or another Subordinate CA.

Subordinate Certificate: An Intermediate Certificate.

Trust Anchor: A Certificate that is included in NSS with at least one of the trust bits enabled. This is usually a Root Certificate, but under certain circumstances may be an Intermediate Certificate.

Trust Bits: Metadata associated with a root CA certificate in NSS that determines whether end entity certificates issued under that root's hierarchy will be recognized by NSS as valid for various purposes. Currently there are two trust bits, for SSL/TLS and S/MIME email.