Welcome to the eduPKI website - GÉANT3 Services -
PMA Related DocumentsCA Related DocumentsTrust Profile Related DocumentsObject Identifiers (OIDs)Glossary


This glossary is helpful for the following documents:

  1. eduPKI PMA Charter
  2. eduPKI PMA CA accreditation process
  3. eduPKI PMA GÉANT Services registration process
  4. eduPKI Trust Profiles
  5. eduPKI CA Certificate Policy and Certification Practice Statement

autoBAHN see Automated Bandwidth Allocation across Heterogeneous Networks

Automated Bandwidth Allocation across Heterogeneous Networks A bandwidth-on-demand system dedicated to reserve resources in heterogeneous, multi-domain environments, allowing immediate and advance circuit reservations. The autoBAHN system provides the production bandwidth-on-demand service for the GÉANT community.

Base64 An encoding standard to store (binary) data in ASCII (American Standard Code for Information Interchange) format, i.e. using only a printable sub-set of those 7-Bit characters that ASCII comprises.

CA see Certification Authority

CA Evaluation and Accreditation Team eduPKI PMA forms the CA Evaluation and Accreditation Team which will evaluate an applying CA in regards to its conformance with a chosen eduPKI Trust Profile. The CA Evaluation and Accreditation Team is responsible for accreditation of conforming CAs as well as suspension and withdrawal of such accreditation.

Certificate see X.509 digital Certificate

Certificate Policy The main governing document for a CA defining its standards and conditions for issuing X.509 digital Certificates.

Certificate Revocation List An electronically signed list of revoked X.509 digital Certificates issued by a CA.

Certification Authority A Certification Authority issues X.509 digital Certificates and publishes revocation and status information about the issued Certificates.

Certification Practice Statement Based on the CP the Certification Practice Statement of a CA contains detailed information, specifications, CA procedures and security measures for the issuance of X.509 digital Certificates by the CA.

cNIS see Common Network Information Service

Common Network Information Service Provides a unified repository of all relevant network information about a single administrative domain. Apart from the internal functionality required for populating, validating and updating the repository, cNIS is equipped with modules for analysing the network topology data and presenting the data in a client-specified format (graphical, tabular or XML for external applications).

Conforming CA A Certification Authority acting in compliance with an implied or explicitly named eduPKI Trust Profile.

CP see Certificate Policy

CPS see Certification Practice Statement

CRL see Certificate Revocation List

DER see Distinguished Encoding Rules

Distinguished Encoding Rules A standard derived from the Basic Encoding Rules (BER) standard to encode Certificates and CRLs when stored in binary form, e.g. in files.

eduroam® Federation of organisations mutually providing their users access to the Internet connectivity.

eduroam® Service Provider RADIUS/TLS server operated by a network visited by a user registered within a different network.

eduroam® Identity Provider RADIUS/TLS server operated by the network managing an account for a user visiting a different network.

eduPKI PMA see eduPKI Policy Management Authority

eduPKI PMA Board The eduPKI PMA board consists of a chair and a co-chair as well as further members coordinating and performing the work of the eduPKI PMA.

eduPKI PMA Charter The main governing document defining rules for the eduPKI PMA

eduPKI Policy Management Authority The authority that is managing and coordinating PKI, policy and trust matters between the GÉANT community as Relying Parties and CAs as identity assurers.

eduPKI Trust Anchor Repository eduPKI is using TACAR to provide a trusted download location for the Trust Anchors of CAs.

eduPKI Trust Profile Definition of minimum requirements of a GÉANT Service in regards to the quality of identity assertions and vetting procedures as well as the supporting assertion infrastructure.

Federal Information Processing Standards (USA) Standards issued by NIST for processing information on U.S. federal computer systems in U.S. government environments.

FIPS see Federal Information Processing Standards (USA)

GÉANT The fast and reliable pan-European communications infrastructure serving Europe’s research and education community

GÉANT Service A service offered by GÉANT participants to the GÉANT community.

GÉANT Service Area The GÉANT Service Area is a common pan-European service infrastructure that enables a range of advanced network services and applications to be offered at a national level by NRENs.

GÉANT's Multi-Domain Network Services These are network related services with the objective of being available seamlessly in the different management domains across the GÉANT Service Area. Example of such services are autoBAHN, cNIS, I-SHARe and perfSONAR.

Identity assertion An identity assurer, e.g. a CA, issues an identity assertion, e.g. a certificate, once the assurer has vetted the identity of the entity described in the certificate's distinguished name for assertions issued to persons or the assurer vetted the identity of the certificate requester for other kinds of certificates, e.g. server certificates.

Identity assurer An identity assurer, e.g. a CA, issues identity assertions once the identity assurer has vetted the identity that is or owns the subject described by the identity assertion.

IETF see Internet Engineering Task Force

Information Sharing across Heterogeneous Administrative Regions A collaborative tool to support operations in the management of end-to-end (E2E) network link services in a multi-domain environment. I-SHARe enables the seamless delivery of multi-domain E2E network link services as well as the provision of a consistent operational support system across multiple domains by simplifying collaboration between those participating domains and such making it easier to establish and manage E2E network links.

Internet Engineering Task Force A community of network designers, operators, vendors and researchers fostering the evolution of the Internet architecture and caring for a smooth operation of the Internet.

I-SHARe see Information Sharing across Heterogeneous Administrative Regions

National Institute of Standards and Technology (USA) The USA's national standards and technology body.

National Research and Education Network National Research and Education Networks are providing Internet connectivity as well as additional services to its scientific research and education constituency on a national level.

NIST see National Institute of Standards and Technology (USA)

NREN see National Research and Education Network

Object Identifier A uniquely assigned identifier for a document or object.

OCSP see Online Certificate Status Protocol

OID see Object Identifier

Online Certificate Status Protocol A protocol defined by the IETF in "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560, for issuing online queries and receiving responses about the revocation status of an X.509 digital Certificate.

PEM see Privacy Enhanced Mail

Performance Service Oriented Network monitoring Architecture The multi-domain monitoring service for the GÉANT Service Area enabling NRENs, Network Operations Centres (NOCs) and Performance Enhancement and Response Teams (PERTs) to collaborate in providing seamless network performance for their network users.

perfSONAR see Performance Service Oriented Network monitoring Architecture

PKCS see Public Key Cryptography Standard

PKI see Public Key Infrastructure

PKIX see Public Key Infrastructure for X.509 digital Certificates

PMA see Policy Management Authority

Policy A set of governing documents, e.g. CP and CPS, defining quality and operations of a CA.

Policy Management Authority A Policy Management Authority manages and coordinates PKI, policy and trust matters between Relying Parties which rely on issued identity assurances and CAs as the identity assurers.

Privacy Enhanced Mail A standard and format to store Certificates and CRLs in Base64 encoded form, e.g. files.

Public Key Cryptography Standard A set of standards for public key cryptography, e.g. PKCS#10 describing Certificate Signing Requests (CSRs), PKCS#11 describing an application programming interface (API) for accessing a cryptographic key token and PKCS#12 describing how to store private key material and associated certificates in pass-phrase protected files.

Public Key Infrastructure Infrastructure for public key cryptography.

Public Key Infrastructure for X.509 digital Certificates PKI especially built around X.509 digital Certificates; name of a working group at the IETF that writes RFCs in regards to implementing PKI with X.509 digital Certificates.

RADIUS/TLS RADIUS over TLS; a protocol defined by IETF in "TLS encryption for RADIUS", draft-ietf-radext-radsec-09,  S. Winter, M. McCauley, S. Venaas, K. Wierenga

Relying Party A Relying Party relies on issued identity assertions, e.g. on X.509 digital Certificates to authenticate the respective holder of the Certificate.

Request for Comments A series of technical and organisational documents and recommendations about the Internet published by the IETF.

RFC see Request for Comments

RSA Asymmetric cryptographic algorithm developed by R. L. Rivest, A. Shamir and L. Adleman used for digital signing and encryption.

SHA Secure Hash Algorithm defined by NIST used to produce cryptographically strong hash sums.

TACAR see TERENA Academic CA Repository

TACAR Trust Category Each eduPKI Trust Profile has its specific trust category in TACAR and accredited CAs under an eduPKI Trust Profile are tagged with the TACAR Trust Category.

TERENA Trans-European Research and Education Networking Association

TERENA Academic CA Repository A TERENA provided web-site to download various CA certificates

TLS see Transport Layer Security

TP see eduPKI Trust Profile

Transport Layer Security A protocol defined by the IETF in "The Transport Layer Security (TLS) Protocol", RFC 5246.

Trust anchor An (often self-signed) X.509 digital Certificate bound to a CA.

Trust fabric A trust fabric is a mesh of PKIs, Policies, CAs and X.509 digital certificates of CAs and end-entities that makes up the environment in which Relying Parties are basing and making their trust decisions for authentications.

Trust Team The eduPKI PMA forms the Trust Team that is assisting GÉANT Services with defining their identity assertion and trust requirements in order to write a Trust Profile document. The Trust Team registers GÉANT Services under Trust Profiles.

X.509 A set of recommendations issued by the International Telecommunication Union's (ITU's) Telecommunications Standardisation Sector (ITU-T) on PKI with digital certificates (and CRLs).

X.509 digital Certificate X.509 digital Certificates are X.509 compliant digitally signed identity assertions issued by an identity assurer, i.e. a CA, expressing the binding of the Certificate holder represented by the Certificate's subject name to the embedded public key.