Security in Federated Naming

Technical Study: Security in Federated Naming

Technical Study: Security in Federated Naming
Copyright © 1997 The Open Group

Glossary

access control

The prevention of unauthorized use of a resource including the prevention of use of a resource in an unauthorized manner [ISO 7498-2:1989].

access control policy

The set of rules that define the conditions under which an access may take place [IS0/IEC CD 10181-3 Oct 1991].

accountability

The property that ensures that the actions of an entity may be traced to that entity [ISO 7498-2:1989].

atomic name

Indivisible component of a name.

authenticated identity

An identity of a principal that has been assured through authentication [ISO/IEC DIS 10181-2 Jul 1991].

authentication

See data origin authentication, and peer entity authentication [ISO 7498-2:1989].

authentication exchange

A sequence of one or more transfers of exchange authentication information (AI) for the purposes of performing an authentication [ISO/IEC DIS 10181-2 Jul 1991].

availability

The property of being accessible and usable upon demand by an authorised entity [ISO 7498-2:1989].

binding

association of an atomic name with an object reference.

composite name

name that spans multiple naming systems. An ordered list of one or more components.

composite name resolution

the process of resolving a name that spans multiple naming systems.

compound name

sequence of one or more atomic names composed according to a naming convention.

confidentiality

The property that information is not made available or disclosed to unauthorised individuals, entities, or processes [ISO 7498-2:1989].

context

an object whose state is a set of bindings with distinct atomic names. Every context has an associated naming convention. A context provides a lookup (resolution) operation, which returns the reference bound to an object, and may provide operations such as for binding names, unbinding names, and listing bound names.

credentials

Data that is transferred to establish the claimed identity of an entity [ISO 7498-2:1989].

cryptography

The discipline that embodies principles, means, and the methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorised use.

Note:: The choice of cryptography mechanism determines the methods used in encipherment and decipherment. An attack on a cryptographic principle, means or method is cryptanalysis.

data integrity

The property that data has not been altered or destroyed in an unauthorised manner [ISO 7498-2:1989].

data origin authentication

The corroboration that the entity responsible for the creation of a set of data is the one claimed.

denial of service

The prevention of authorised access to resources or the delaying of time-critical operations[ISO 7498-2:1989].

digital signature

Data appended to, or a cryptographic transformation (see cryptography) of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery for example, by the recipientx[ISO 7498-2:1989].

DNSSEC

Domain Name System Security Extensions.

encipherment

The cryptographic transformation of data to produce ciphertext.

Note:: Encipherment may be irreversible, in which case the corresponding decipherment process cannot feasibly be performed. Such encipherment may be called a one-way-function or cryptochecksum.

federated namespace

set of all possible names generated according to the policies that govern the relationships among member naming systems and their respective namespaces.

federated naming service

service offered by a federated naming system.

GSS-API

Generic Security Service Application Programming Interface. Independent Data Unit Protection.

initial context

every XFN name is interpreted relative to some context, and every XFN naming operation is performed on a context object. The XFN interface provides a function to allow a client to obtain an "initial context" object that provides the starting point for the resolution of composite names.

IPSEC

IP Security Protocol.

masquerade

The unauthorised pretence by an entity to be a different entity [ISO 7498-2:1989].

namespace

set of all names in a naming system.

naming service

the service offered by a naming system

naming system

a connected set of contexts of the same type (having the same naming convention) and providing the same set of operations with identical semantics.

naming system boundary

the point where the namespace under the control of one member of the federation ends, and where the namespace under the control of the next member of the federation begins.

peer-entity authentication

The corroboration that a peer entity in an association is the one claimed [ISO 7498-2:1989].

principal

An entity whose identity can be authenticated [ISO/IEC DIS 10181-2 Jul 1991].

reference

a reference of an object contains one or more communications endpoints (addresses).

repudiation

Denial by one of the entities involved in a communication of having participated in all or part of the communication [ISO 7498-2:1989].

secure association

An instance of secure communication (using communication in the broad sense of space and/or time) which makes use of a secure context.

secure context

The existence of the necessary information for the correct operation of the security mechanisms at the appropriate place and time.

security attribute

A security attribute is a piece of security information which is associated with an entity in a distributed system [ECMA-138 Dec 1989].

security audit

An independent review and examination of system records and operations in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security and to recommend any indicated changes in control, policy and procedures [ISO 7498-2:1989].

security audit trail

Data collected and potentially used to facilitate a security audit [ISO 7498-2:1989].

security domain

A set of elements, a security policy, a security authority and a set of security-relevant operations in which the set of elements are subject to the security policy, administered by the security authority, for the specified activities [ISO/IEC CD 10181-1:Dec 1992].

security policy

The set of criteria for the provision of security services.

security service

A service which may be invoked directly or indirectly by functions within a system that ensures adequate security of the system or of data transfers between components of the system or with other systems.

SSL

Secure Socket Layer.

subcontext

an atomic name in one context object can be bound to a reference to another context object of the same type, called a subcontext, giving rise to a compound name. For example in /usr/local/bin the atomic name local is bound in the context of usr to a directory context (and subcontext) in which bin is found.

threat

A potential violation of security [ISO 7498-2:1989].

traffic padding

The generation of spurious instances of communication, spurious data units or spurious data within data units [ISO 7498-2:1989].

vulnerability

Weakness in an information system or components (for example, system security procedures, hardware design, internal controls) that could be exploited to produce an information-related misfortune [FC Ver 1.0 Dec 1992].

Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.

Contents

Index