Technical Study: Security in Federated Naming
Technical Study: Security in Federated Naming
Copyright © 1997 The Open Group
access controlThe prevention of unauthorized use of a resource including the prevention of
use of a resource in an unauthorized manner [ISO 7498-2:1989].
access control policyThe set of rules that define the conditions under which an access may take
place [IS0/IEC CD 10181-3 Oct 1991].
accountabilityThe property that ensures that the actions of an entity may be traced to that
entity [ISO 7498-2:1989].
atomic nameIndivisible component of a name.
authenticated identityAn identity of a principal that has been assured through
authentication [ISO/IEC DIS 10181-2 Jul 1991].
authenticationSee data origin authentication, and peer entity authentication
authentication exchangeA sequence of one or more transfers of exchange authentication information
(AI) for the purposes of performing an authentication [ISO/IEC DIS 10181-2 Jul
availabilityThe property of being accessible and usable upon demand by an authorised
entity [ISO 7498-2:1989].
bindingassociation of an atomic name with an object reference.
composite namename that spans multiple naming systems. An ordered list of one or more
composite name resolutionthe process of resolving a name that spans multiple naming systems.
compound namesequence of one or more atomic names composed according to a naming
confidentialityThe property that information is not made available or disclosed to
unauthorised individuals, entities, or processes [ISO 7498-2:1989].
contextan object whose state is a set of bindings with distinct atomic names.
Every context has an associated naming convention. A context provides a
lookup (resolution) operation, which returns the reference bound to an
object, and may provide operations such as for binding names, unbinding
names, and listing bound names.
credentialsData that is transferred to establish the claimed identity of an entity [ISO
cryptographyThe discipline that embodies principles, means, and the methods for
the transformation of data in order to hide its information content,
prevent its undetected modification and/or prevent its unauthorised
- The choice of cryptography mechanism determines the methods used in
encipherment and decipherment. An attack on a cryptographic
principle, means or method is
data integrityThe property that data has not been altered or destroyed in an unauthorised
manner [ISO 7498-2:1989].
data origin authenticationThe corroboration that the entity responsible for the creation of a set
of data is the one claimed.
denial of serviceThe prevention of authorised access to resources or the delaying of
time-critical operations[ISO 7498-2:1989].
digital signatureData appended to, or a cryptographic transformation (see cryptography) of, a
data unit that allows a recipient of the data unit to prove the source and
integrity of the data unit and protect against forgery for example, by the
DNSSECDomain Name System Security Extensions.
enciphermentThe cryptographic transformation of data to produce ciphertext.
- Encipherment may be irreversible, in which case the corresponding
decipherment process cannot feasibly be performed. Such encipherment
may be called a one-way-function or cryptochecksum.
federated namespaceset of all possible names generated according to the policies that
govern the relationships among member naming systems and their
federated naming serviceservice offered by a federated naming system.
GSS-APIGeneric Security Service Application Programming Interface.
Independent Data Unit Protection.
initial contextevery XFN name is interpreted relative to some context, and every XFN
naming operation is performed on a context object. The XFN interface
provides a function to allow a client to obtain an
object that provides the starting point for the resolution
of composite names.
IPSECIP Security Protocol.
masqueradeThe unauthorised pretence by an entity to be a different entity
namespaceset of all names in a naming system.
naming servicethe service offered by a naming system
naming systema connected set of contexts of the same type (having the same naming
convention) and providing the same set of operations with identical
naming system boundarythe point where the namespace under the control of one member of the
federation ends, and where the namespace under the control of the next
member of the federation begins.
peer-entity authenticationThe corroboration that a peer entity in an association is the one
claimed [ISO 7498-2:1989].
principalAn entity whose identity can be authenticated [ISO/IEC DIS 10181-2 Jul 1991].
referencea reference of an object contains one or more communications endpoints
repudiationDenial by one of the entities involved in a communication of having
participated in all or part of the communication [ISO 7498-2:1989].
secure associationAn instance of secure communication (using communication in the broad sense
of space and/or time) which makes use of a secure context.
secure contextThe existence of the necessary information for the correct operation of the
security mechanisms at the appropriate place and time.
security attributeA security attribute is a piece of security information which is associated
with an entity in a distributed system [ECMA-138 Dec 1989].
security auditAn independent review and examination of system records and operations in
order to test for adequacy of system controls, to ensure compliance with
established policy and operational procedures, to detect breaches in security
and to recommend any indicated changes
in control, policy and procedures [ISO 7498-2:1989].
security audit trailData collected and potentially used to facilitate
a security audit [ISO 7498-2:1989].
security domainA set of elements, a security policy, a security authority and a set of
security-relevant operations in which the set of elements are subject to the
security policy, administered by the security authority, for the specified
activities [ISO/IEC CD 10181-1:Dec 1992].
security policyThe set of criteria for the provision of security services.
security serviceA service which may be invoked directly or indirectly by functions
within a system that ensures
adequate security of the system or of data transfers between
components of the system or with other systems.
SSLSecure Socket Layer.
subcontextan atomic name in one context object can be bound to a reference to
another context object of the same type, called a subcontext, giving
rise to a compound name. For example in /usr/local/bin the atomic
name local is bound in the context of usr to a directory
context (and subcontext) in which bin is found.
threatA potential violation of security [ISO 7498-2:1989].
traffic paddingThe generation of spurious instances of communication, spurious data units
or spurious data within data units [ISO 7498-2:1989].
vulnerabilityWeakness in an information system or components (for example, system security
procedures, hardware design, internal controls) that could be exploited to
produce an information-related misfortune [FC Ver 1.0 Dec 1992].
Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy
of this publication.