Previous section.

Architecture for Public-Key Infrastructure (APKI)
Copyright © 1998 The Open Group


access control

The prevention of unauthorized use of a resource including the prevention of use of a resource in an unauthorized manner (see ISO/IEC 7498-2).

access control policy

The set of rules that define the conditions under which an access may take place (see ISO/IEC 10181-3).


The property that ensures that the actions of an entity may be traced to that entity (see ISO/IEC 7498-2).


Application Programming Interface.

The interface between the application software and the application platform, across which all services are provided.

The application programming interface is primarily in support of application portability, but system and application interoperability are also supported by a communication API.


The collection of information that is relevant to the control of communications security for a particular application-association (see ISO/IEC 10745).


See Overview of Virtual Smartcard Services (see ISO/IEC 7498-2).

audit trail

See Overview of Virtual Smartcard Services (see ISO/IEC 7498-2).

authenticated identity

An identity of a principal that has been assured through authentication (see ISO/IEC 10181-2).


Verify claimed identity; see Overview of Virtual Smartcard Services and Overview of Virtual Smartcard Services (see ISO/IEC 7498-2).

authentication certificate

Authentication information in the form of a security certificate which may be used to assure the identity of an entity guaranteed by an authentication authority (see ISO/IEC 10181-2).

authentication exchange

A sequence of one or more transfers of exchange authentication information (AI) for the purposes of performing an authentication (see ISO/IEC 10181-2).

authentication information (AI)

Information used to establish the validity of a claimed identity (see ISO/IEC 7498-2).


The granting of rights, which includes the granting of access based on access rights (see ISO/IEC 7498-2).


The property of being accessible and usable upon demand by an authorized entity (see ISO/IEC 7498-2).

certification authority (CA)

A certification authority issues certificates and vouches for the identities of those individuals or entities to whom it issues certificates, and their association with a given key.


Data produced through the use of encipherment. The semantic content of the resulting data is not available (see ISO/IEC 7498-2).
Ciphertext may itself be input to encipherment, such that super-enciphered output is produced.

clear text

Intelligible data, the semantic content of which is available (see ISO/IEC 7498-2).


These operations occur between a pair of communicating independent peer processes. The peer process initiating a service request is termed the client. The peer process responding to a service request is termed the server. A process may act as both client and server in the context of a set of transactions.


The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (see ISO/IEC 7498-2).

contextual information

Information derived from the context in which an access is made (for example, time of day) (see ISO/IEC 10181-3).


Data that is transferred to establish the claimed identity of an entity (see ISO/IEC 7498-2).


The analysis of a cryptographic system and its inputs and outputs to derive confidential variables and/or sensitive data including clear text (see ISO/IEC 7498-2).

cryptographic algorithm

A method of performing a cryptographic transformation (see Overview of Virtual Smartcard Services) on a data unit. Cryptographic algorithms may be based on symmetric key methods (the same key is used for both encipher and decipher transformations) or on asymmetric keys (different keys are used for encipher and decipher transformations).

cryptographic checkvalue

Information that is derived by performing a cryptographic transformation (see Overview of Virtual Smartcard Services) on a data unit (see ISO/IEC 7498-2).
The derivation of the checkvalue may be performed in one or more steps and is a result of a mathematical function of the key and data unit. It is usually used to check the integrity of a data unit.


The discipline that embodies principles, means, and the methods for the transformation of data in order to hide its information content, prevent its undetected modification, and/or prevent its unauthorized use (see ISO/IEC 7498-2).
The choice of cryptography mechanism determines the methods used in encipherment and decipherment. An attack on a cryptographic principle, means, or method is cryptanalysis.

data integrity

The property that data has not been altered or destroyed in an unauthorized manner (see ISO/IEC 7498-2).

data origin authentication

The corroboration that the entity responsible for the creation of a set of data is the one claimed.


The reversal of a corresponding reversible encipherment (see ISO/IEC 7498-2).


See Overview of Virtual Smartcard Services (see ISO/IEC 7498-2).

denial of service

The unauthorized prevention of authorized access to resources or the delaying of time-critical operations (see ISO/IEC 7498-2).

digital signature

Data appended to, or a cryptographic transformation (see Overview of Virtual Smartcard Services) of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery; for example, by the recipient (see ISO/IEC 7498-2).

distinguishing identifier

Data that unambiguously distinguishes an entity in the authentication process. Such an identifier shall be unambiguous at least within a security domain (see ISO/IEC 10181-2).


The cryptographic transformation of data (see Overview of Virtual Smartcard Services) to produce ciphertext (see ISO/IEC 7498-2).
Encipherment may be irreversible, in which case the corresponding decipherment process cannot feasibly be performed. Such encipherment may be called a one-way function or cryptochecksum.


See Overview of Virtual Smartcard Services (see ISO/IEC 7498-2).

end-to-end encipherment

Encipherment of data within or at the source end system, with the corresponding decipherment occurring only within or at the destination end system (see ISO/IEC 7498-2).


The assignment of a name by which an entity can be referenced. The entity may be high level (such as a user) or low level (such as a process or communication channel).


See Overview of Virtual Smartcard Services (see ISO/IEC 7498-2).


A sequence of symbols that controls the operations of encipherment and decipherment (see ISO/IEC 7498-2).

key management

The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy (see ISO/IEC 7498-2).

messaging application

An application based on a store-and-forward paradigm; it requires an appropriate security context to be bound with the message itself.

off-line authentication certificate

A particular form of authentication information binding an entity to a cryptographic key, certified by a trusted authority, which may be used for authentication without directly interacting with the authority (see ISO/IEC 10181-2).

on-line authentication certificate

A particular form of authentication information, certified by a trusted authority, which may be used for authentication following direct interaction with the authority (see ISO/IEC 10181-2).


Confidential authentication information, usually composed of a string of characters (see ISO/IEC 7498-2).

peer-entity authentication

The corroboration that a peer entity in an association is the one claimed (see ISO/IEC 7498-2).


An entity whose identity can be authenticated (see ISO/IEC 10181-2).

private key

A key used in an asymmetric algorithm. Possession of this key is restricted, usually to only one entity (see ISO/IEC 10181-1).

public key

The key, used in an asymmetric algorithm, that is publicly available (see ISO/IEC 10181-1).

quality of protection

A label that implies methods of security protection under a security policy. This normally includes a combination of integrity and confidentiality requirements and is typically implemented in a communications environment by a combination of cryptographic mechanisms.


Denial by one of the entities involved in a communication of having participated in all or part of the communication (see ISO/IEC 7498-2).


A cryptographic checkvalue that supports integrity but does not protect against forgery by the recipient (that is, it does not support non-repudiation). When a seal is associated with a data element, that data element is sealed (see ISO/IEC 10181-1).

secret key

In a symmetric cryptographic algorithm the key shared between two entities (see ISO/IEC 10181-1).

secure association

An instance of secure communication (using communication in the broad sense of space and/or time) which makes use of a secure context.

secure context

The existence of the necessary information for the correct operation of the security mechanisms at the appropriate place and time.

security architecture

A high-level description of the structure of a system, with security functions assigned to components within this structure.

security attribute

A security attribute is a piece of security information which is associated with an entity.

security audit

An independent review and examination of system records and operations in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy, and procedures (see ISO/IEC 7498-2).

security audit trail

Data collected and potentially used to facilitate a security audit (see ISO/IEC 7498-2).

security certificate

A set of security-relevant data from an issuing security authority that is protected by integrity and data origin authentication, and includes an indication of a time period of validity (see ISO/IEC 10181-1).
All certificates are deemed to be security certificates (see the relevant definitions in ISO/IEC 7498-2) adopted in order to avoid terminology conflicts with the directory authentication standard.

security label

The marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource (see ISO/IEC 7498-2).
The marking may be explicit or implicit.

security service

A service which may be invoked directly or indirectly by functions within a system that ensures adequate security of the system or of data transfers between components of the system or with other systems.

security state

State information that is held in an open system and which is required for the provision of security services.


See Overview of Virtual Smartcard Services (see ISO/IEC 7498-2).


A relationship between two elements, a set of operations, and a security policy in which element X trusts element Y if and only if X has confidence that Y behaves in a well-defined way (with respect to the operations) that does not violate the given security policy (see ISO/IEC 10181-1).

trusted computing base (TCB)

The totality of protection mechanisms within an IT system, including hardware, firmware, software, and data, the combination of which is responsible for enforcing the security policy.

trusted functionality

That which is perceived to be correct with respect to some criteria; for example, as established by a security policy (see ISO/IEC 7498-2).

trusted third party

A security authority or its agent, trusted by other entities with respect to security-related operations (see ISO/IEC 10181-1).
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents Index