INDEX

1-tuple

16-bit architecture

1970 (end of time timestamp)

[??]

a priori trust,

abbreviation, of transit path

absolute expiration time

abstract syntax notation

abstracting

academic discipline

accepting weak keys

access

  • Access Control Lists (ACLs)
  • ACL Managers
  • Access Control List API
  • Glossary

    Access Control

    access control decision

    access control list (ACL),

    Access Control, Attributes with Triggers

    Access Control, for Attribute Types

    access determination algorithm

    access request, input to CADA

    access semantics, of permissions

    access,

    access, matrix

    accessor

    account

    account domain

    account information, conceptual part of login context

    account name, equals login name

    account, creator

    account, data (data type)

    account, entry in RS datastore

    account, exactly one key

    account, expiration

    account, flag

    account, information, administration-level

    account, lifetime

    account, local-ID (data type)

    account, name of

    account, unambiguous reference

    account, user-level information

    account, UUID (data type)

    accounts

    accuracy

    accuracy, of time source

    ACL

  • Access Control Lists (ACLs)
  • ACL Managers
  • ACL Editor RPC Interface
  • RS Editor RPC Interfaces
  • Glossary

    ACL editor,

    ACL manager API, future work

    ACL manager type UUID

    ACL manager type UUID, input to CADA

    ACL manager,

    ACL manager, ACLE types supported

    ACL manager, common

    ACL manager, multiple

    ACL manager, permission

    ACL manager, POSIX support

    ACL manager, type UUID

    ACL manager, types supported by RS

    ACL Permissions, Generic

    ACL type, not all need be supported

    ACL,

    ACL, common

    ACL, data type

    ACL, default creation

    ACL, Editor

    ACL, entry (ACLE) (data type)

    ACL, Extensions

    ACL, for xattrschema Object

    ACL, identity of

    ACL, initial

    ACL, initial container

    ACL, initial object

    ACL, multiple

    ACL, not supported in name-based

    ACL, physical separation from referent

    ACL, pointer to

    ACL, protection/object

    ACL, semantics interpreted by manager

    ACL, type

    ACL, type (data type)

    ACL, unauthenticated entry

    ACLE

    ACLE,

    ACLE, data type

    ACLE, extended information

    ACLE, permission set

    ACLEs

    ACLs

  • ACL Editor RPC Interface

    acting as a delegate

    action

    active aspect

    active bits of DES vector

    additional

    address

    addresses

    adequacy of security, evaluating

    administer permission

    administration-level information

    administrative flag

    administrative interface

    administrator

    algorithm

  • Encryption/Decryption Mechanisms
  • Key Distribution (Authentication) Services
  • ACL Managers
  • Glossary

    algorithm, access determination

    algorithm, basic DES

    algorithm, CADA

    algorithm, CBC mode

    algorithm, common access determination

    algorithm, generate RA header

    algorithm, generation of AS response

    Algorithm, intercell_action

    algorithm, KDS Error processing

    algorithm, next-hop

    algorithm, prepare authentication header

    algorithm, processing privilege authentication/RA

    algorithm, TGS request/response

    algorithm, trusted

    Algorithm, use_defaults

    algorithms

    alias

    alias, feature of principal domain

    alias, in principal domain

    allowable

    alter_context

    alter_context PDU

    alter_context_response

    alter_context_response PDU

    alternate algorithm, in future version

    alternative approach

    ambiguity, of partially qualified string

    ambiguity, syntactic, of PGO name

    AND,

    annotating a binding handle

    anonymous

    Anonymous Identity

    Anonymous Identity, data type

    Anonymous, Cell UUID

    anonymous, client

    Anonymous, Group UUID

    Anonymous, Principal UUID

    Anonymous, Version 1 UUID

    ANSI X3.106

    ANSI X3.92

    ANY_OTHER

    ANY_OTHER, algorithm

    ANY_OTHER, at most one

    ANY_OTHER, supported by common ACL manager

    ANY_OTHER_DEL

    ANY_OTHER_DEL, algorithm

    ANY_OTHER_DELEG

    API

    append

    appendix

    AppleTalk, registered address type

    application

    application, correctly written

    architecture

    arithmetic

    arithmetic, modular

    arithmetic, on timestamps

    array, of pointers to ACL

    AS

    AS request

    AS request, client sends

    AS request/response

    AS response

    AS,

    AS, receipt of request

    AS, request/response processing

    AS, response (data type)

    AS, response received by client

    ASCII

    ASN.1

    aspect, active/passive

    asserted

    asserted PAC,

    asserted, status of PAC

    assertion

    associated

    assurance, of correctly-written applications

    assured

    assured service,

    asymmetric trust peers

    atomicity, in changes to ACL

    attack

    attr_schema, ACL manager permission

    attr_schema, ACL manager type UUID

    attr_schema, supported ACLE types

    attribute

  • Well-Known Attribute Types
  • Unknown Intercell Action Attribute
  • Privilege (Authorisation) Services
  • Glossary

    Attribute Encodings

    Attribute Permissions, Additional

    Attribute Schema,

    Attribute Schemas, Well-known

    Attribute Scope

    Attribute Sets

    Attribute Trigger Facility,

    Attribute Trigger,

    Attribute Triggers

    Attribute Type Flags,

    attribute,

    attribute, of user (data type)

    attribute, PAC, in RS information

    attribute, PGO item (data type)

    attribute, policy

    attribute, privilege

    attributee

    attributes

    Attributes, Additional Permissions

    Attributes, Privilege (for EPAC)

    Attributes, Well Known

    audience

    auditing, not in this version

    auth_value.assoc_uuid_crc

    auth_value.checksum

    auth_value.credentials

    authenticated, flag in PAC

    authentication

  • Authentication Headers
  • Authentication Header Flags
  • (Reverse-)Authentication Header Processing
  • Cross-Cell Authentication
  • Privilege (Authorisation) Services
  • DCE Security Replication and Propagation

    authentication data, checked by KDS server

    authentication data, data type

    authentication data, registered

    authentication flag,

    authentication header processing

    authentication header, data type

    authentication information permission

    authentication method, in RS information

    authentication policy, in registry property

    authentication service (AS),

    authentication service, registered

    authentication,

    authentication, and Kerberos

    authentication, client sends header

    authentication, cross-cell

    authentication, data

    authentication, flag

    authentication, header omitted

    authentication, mutual, at TGS request

    authentication, of TGS service, need for

    authentication, policy

    authentication, server receives header

    authentication, service not autonomous from KDS

    authentication, situations warranting

    authentication, time of

    authentication, to KDS server

    authentication, user-to-user

    authentication, verifier (PDU)

    authentication, vs. authorisation

    authenticator, available

    authenticator, data type

    authenticator, decrypted by KDS server

    authenticator, in Kerberos protocol

    authenticator, in service request

    authenticator, in TGS request

    authenticator, timestamp in

    authenticators

    authenticity

    authenticity,

    authenticity, protected by DES

    authenticity, protected by DES-MD4/5

    authnr-Cksum, usage in CL security

    authorisation

  • Key Distribution (Authentication) Services
  • Privilege (Authorisation) Services
  • PAC-Based Privilege Service (PS)
  • Data Types
  • Name-Based Authorisation
  • Glossary

    Authorisation Algorithm, for Delegation

    authorisation data, data type

    authorisation data, registered

    authorisation decision computation

    authorisation identity, data type

    authorisation service,

    authorisation service, registered

    authorisation,

    authorisation, cross-cell

    authorisation, foreign groupsets (data type)

    authorisation, in PTGS request

    authorisation, in RS information

    authorisation, local/foreign (data type)

    authorisation, name-based

    authorisation, name-based versus PAC-based

    authorisation, vs. authentication

    Authorisation-Vetting

    authority

    authority of authentication, conceptual part of login context

    authority,

    available, authenticator

    avoided

    avoided key

    base

    basic

    basic DES

    basic DES algorithm, details

    be

    belief

    belief,

    belonging to a cell

    BER

    between

    big-endian,

    big/big-endian encoding in pickle

    bilateral authentication

    bind

    bind PDU

    bind_ack

    bind_ack PDU

    binding

    binding handle

    binding handle, RPC

    binding, to ACL server

    bit representation, permission

    BIT STRING

    BIT STRING, denoting field element

    bit,

    bit, implementation of permission

    bit, parity, in DES key

    bit, unused

    bit-position, of permissions

    bit-reflection

    bit-sequence, mapping to integer

    Bit-Sequences

    bit-vector, implementation of permission

    bit-vector, pickle as

    Bit/Byte-Sequences

    bits

    bitset

    bitset, data type

    bitwise

    bitwise boolean AND,

    bitwise boolean OR,

    bitwise boolean XOR,

    bitwise operation

    bitwise rotation

    block space

    block, DES

    block, encryption of partial

    bodies

    body bgcolor="#FFFFFF"

    body bgcolor="#FFFFFF", of KDS request (data type)

    body bgcolor="#FFFFFF", of PDU

    body bgcolor="#FFFFFF", of pickle

    body bgcolor="#FFFFFF", PDU

    bootstrap, use of sec_login API after

    bootstrapping trust

    bounds on ID numbers, in registry property

    buffer

    built-in integrity

    by

    byte,

    byte, interpretation as integer

    byte-sequence, mapping to integer

    Byte-Sequences

    byte-vector, pickle as

    bytes

    C language, pseudocode resembling

    cache, in RS information

    cache, maintenance

    caching

    CADA

    CADA,

    CADA, not supported in name-based

    CADA, subalgorithm

    call

    case sensitivity

    CBC

    CBC mode algorithm

    CBC mode of DES

    CCITT X.208

    CCITT X.209

    CCITT X.509

    CCITT-32

    CCITT-32,

    CDS directory service, use in RPC binding

    CDS naming syntax

    CDS-supported namespace

    cell

  • Privilege (Authorisation) Services
  • DCE Security Replication and Propagation
  • Glossary

    cell name, data type

    cell name, in registry property

    cell name, in RS information

    cell principal,

    cell UUID,

    cell,

    cell, checked by KDS server

    cell-profile

    cell-wide information

    Cells-Cross-cell

    certificate

    certificate, privilege attribute,

    certificates

    certification

    certification,

    certification, and scd_protected_noop()

    certification, basis of login validation

    certify

    certify login context

    certify,

    chain

    chain, trust,

    chaining

    chaining properties

    chaining property, satisfied by twisted CRC

    chains

    challenge

    change

    change password

    change permission

    change, date/time

    CHAOSnet, registered address type

    chapter

    character set, portable

    character, restrict choice of

    checksum

  • Encryption/Decryption Mechanisms
  • Key Distribution (Authentication) Services

    checksum type, in RS information

    checksum,

    checksum, checked by KDS server

    checksum, data type

    checksum, DES-CBC

    checksum, in TGS request

    checksum, registered type

    checksum, type (data type)

    checksums

    checksumtext

    child object,

    child process, inheritance of login context

    choices

    chunks

    cipher

    cipher block chaining CBC

    cipher function

    ciphertext, operated on by DES

    circular shift

    CL

    CL, integrity and confidentiality

    CL, security

    CL, verifier

    claimed identity

    class, of protected objects

    client

    client cell, in TGS response

    client name, in TGS response

    client name, versus CDS-registered service name

    client receives RA header

    client sends AS request

    client, anonymous

    client, in CL context

    client, in KDS Error message

    client, in transit path

    client, named

    client, named, in privilege ticket

    client, nominated

    client, receives AS response

    client, receives PTGS response

    client, receives RA header

    client, receives TGS response

    client, sends authentication header

    client, sends PA header

    client, sends PTGS request

    client, sends TGS request

    client-side access information

    client-side security context

    climate of opinion

    clock

    clock skew

    clock skew, in RS information

    clock, synchronisation

    CO

    CO integrity and confidentiality

    CO, security

    CO, verifier

    code

    codebook

    codes

    Codes/Text/Data

    coefficient, and endianness

    collision of ACLE

    collision resistance, of MD4

    collision resistance, of MD5

    collision, resistance of MD4, MD5

    collision-resistance

    combination permission, bit position

    combinations of ACLs

    combined

    comma, metacharacter in transit path

    common

  • Access Control Lists (ACLs)
  • ACL Managers
  • ACL Editor RPC Interface
  • RS Editor RPC Interfaces
  • ID Map Facility RPC Interface
  • Key Management Facility RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface

    common access determination algorithm (CADA)

    common access determination algorithm,

    common access determination algorithm, CADA

    common ACL

    common ACL manager,

    common helpstring

    common permission

    common permission, bit position

    common printstring

    communication via RPC

    communication, of twisted CRC

    communication, start of protection

    compatibility

    complete

    complex permission, bit position

    complexity

    component, mapping from PGO name

    components

    composition

    composition law of CRC

    composition laws

    compress

    compressed, transit path

    compression, of transit path

    compromised

    compromises of timestamp security

    computation, authorisation decision

    computational complexity

    computing

    computing entity,

    concatenation

    concepts

    concurrent group set

    condition, on ACL

    confidence

    confidentiality

    confidentiality,

    confidentiality, CL

    confidentiality, CO

    confidentiality, protected by DES

    confidentiality, protected by DES, not MD4/5

    confounder

    conjunction,

    connection-oriented, security

    connection-oriented, verifier

    connectionless, security

    connectionless, verifier

    constants

    constructed form

    consuming the transit path

    container

    container object,

    containment of damage

    contents

    context

    context, at process start-up

    context, login

    context, of security-version UUID

    context, set for process at login

    control

    control access, using ACLs

    control permission

    controls

    conv_who_are_you_auth()

    convention, for encrypting partial blocks

    conventions

    conventions,

    conversation

    conversation key,

    conversation key, checked by KDS server

    conversation key, in CL security

    conversation key, in TGS request

    conversation key, negotiation

    conversation manager, CL

    coordination, inter-cell

    corrigenda

    cost, of changing password

    cost, of security checking

    costs

    counterfeit KDS

    counterfeit login, certification and

    counterfeit server

    cracking a cryptosystem

    CRC

    CRC, composition law

    CRC, registered

    CRC, twisted

    CRC-32

    crc_assoc_uuid

    CRCs

    creating

    creator of account

    credential

    credential,

    credential, CL

    credential, CO

    credential, issuing

    credentials

    cross-cell

    cross-cell authentication

    cross-cell authentication,

    cross-cell authorisation

    cross-cell coordination

    cross-cell referral

    cross-cell registration

    cross-cell security, poor in name-based

    cross-cell, complete scenario

    cross-registration

    cross-registration, global

    cryptanalysis,

    cryptographic checksum

    cryptographic key, data type

    cryptographic key, management

    cryptographic key, version number

    cryptography

    cryptography,

    cryptography, trusted algorithm/protocol

    cryptology

    cryptology,

    cryptovariable,

    current

    current login context

    current login context, at process start-up

    current long-term key

    cursor

    cursor, current position

    Cursor, for Delegate Iteration

    Cursor, for Extended Attributee Iteration

    cursor, in RS datastore

    cursor, meaningless across RS servers

    cursor, wrap-around

    cyclic

    cyclic redundancy checksum

    daemon

    daemon,

    daemon, inherited login context

    daemon, security-client

    damage containment

    data

  • Privilege (Authorisation) Services
  • Access Control Lists (ACLs)
  • ACL Managers
  • ACL Editor RPC Interface
  • RS Editor RPC Interfaces
  • ID Map Facility RPC Interface
  • Key Management Facility RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • Access Control List API
  • Registry API
  • ID Map API
  • Key Management API
  • Login API
  • Glossary

    data encryption standard (DES),

    data encryption standard,

    data repository (registry)

    data representation

    data type, ACL

    data type, ACL manager

    data type, Anonymous Identity

    data type, applicability to PS

    data type, authorisation identity

    data type, compatibility modes

    data type, Cursor (Delegate Iteration)

    data type, Cursor (Extended Attributee Iteration)

    data type, delegate restriction entry types

    data type, delegate restriction types

    data type, delegation compatibility modes

    data type, delegation restrictions

    data type, Delegation Token

    data type, Delegation Token Set

    data type, EPAC Seal

    data type, extended PAC (EPAC)

    data type, for EPAC Data

    data type, foreign groupset identity

    data type, foreign identity

    data type, Handle (attribute data)

    data type, in RS information

    data type, Kerberos

    data type, List of Seals

    data type, optional restrictions

    data type, PAC

    data type, PAC (Extended)

    data type, PAC format

    data type, Privilege Attributes

    data type, privilege authentication header

    data type, privilege RA header

    data type, privilege-ticket

    data type, PTGS request

    data type, required restrictions

    data type, restrictions

    data type, rpriv ps_app_tkt_result

    data type, rpriv ps_attr_request

    data type, rpriv ps_attr_result

    data type, rpriv ps_message

    data type, Set of PACs (Extended)

    data type, storable as pickle

    data type, Supported Delegation Types

    data type, Supported Seal Types

    data type, target restriction entry types

    data type, target restriction types

    data type, target restrictions

    data type, Version 0 Token Flags

    data versus metadata

    data, account (data type)

    data, encrypted (data type)

    Data, Extended PAC (EPAC)

    data, pre-authentication

    database

    datastore

    datastore query, result

    datastore, in RS

    datastore, lookup by local ID

    datastore, lookup by UUID

    datastore, quota

    datastream

    date, creation of account

    dbyte

    DCE

    DCE Delegation Model,

    DCE X.500 name type

    dce-ptgt

    dce-ptgt, reserved account

    dce-ptgt, reserved name

    dce-rgy

    dce-rgy, reserved account

    dce-rgy, reserved name

    dce_c_authn_level_integrity

    dce_c_authn_level_integrity, CL

    dce_c_authn_level_pkt

    dce_c_authn_level_pkt, CL

    dce_c_authn_level_pkt, CO

    dce_c_authn_level_pkt_integrity

    dce_c_authn_level_pkt_integrity, CO

    dce_c_authn_level_pkt_privacy

    dce_c_authn_level_pkt_privacy, CO

    dce_c_authn_level_privacy

    dce_c_authn_level_privacy, CL

    dce_c_cn_sub_type_des

    dce_c_cn_sub_type_md5

    DEA,

    decipher

    DECnet Phase IV, registered address type

    decode,

    decode/decrypt

    decrypt,

    decrypt, RA header

    decryption

    decryption, by KDS server

    decryption, CBC

    decryption, DES

    decryption, in received AS response

    decryption, in TGS response

    decryption, notation

    decryption, unsuccessful

    decryption, via DES

    default cell UUID

    default cell, ACLEs that refer to

    default creation ACL,

    definite form

    definitive identifier

    degree, of polynomial defining CRC

    delay, reflected in skew

    delegate

    delegate, ACLEs

    delegation

  • Components of Delegation Model
  • Enabling and Disabling Delegation
  • Delegation Controls
  • Delegation Tokens
  • Privilege (Authorisation) Services
  • Login API
  • Glossary

    delegation compatibility modes, data type

    Delegation Components - EPAC

    Delegation Controls

    delegation foreign ACLE type

    delegation local ACLE type

    Delegation Model - Components,

    Delegation Model - overview

    Delegation Token

    Delegation Token, data type

    Delegation Token, in PTGT

    Delegation, Authorisation Algorithm

    delegation, in this version

    Delegation, Login Functions

    Delegation, Remote Interfaces

    Delegation-Related

    delete

    delete item permission

    delete permission

    deletion of key

    denial

    denial of service

    denial of service, based on client address

    denial of service, from expired key

    denying access

    DER

    derived

    DES

  • Glossary

    DES block

    DES key, data type

    DES,

    DES, decryption

    DES, no raw API

    DES, restriction by governments

    DES, usage to ensure integrity

    DES-CBC

    DES-CBC checksum,

    DES-CBC-CRC encryption

    des_key

    details

    determination

  • ACL Managers
  • Glossary

    development

    dictionary attack

    difference between tickets

    different cell, PTGS processing

    digest, MD4

    digest, MD4, MD5

    digest, MD5

    digests

    dir_seq

    direct

    directory services

    Directory Services, and RPC binding

    directory, ACL manager permission

    directory, ACL manager type

    directory, ACL manager type UUID

    directory, supported ACLE types

    disable_time_interval

    disabling

    Disabling delegation

    disclosure, of ACLs unspecified

    discretionary policy

    discussion

    disjunction,

    display, of permission

    distinct principals

    distinct, integer (nonce)

    distinctness, of pgo-UUID

    distinguished encoding restriction

    distributed

    distributed environment

    distributed RPC

    distributed security,

    distributed time service (DTS),

    distributed, RPC service

    distribution

    DNS name type

    doctrine

    doctrine, Kerckhoffs'

    document

    domain

    domain,

    domain, account

    domain, and aliases

    domain, data type

    domain, group

    domain, naming

    domain, of ACL in model

    domain, organisation

    domain, principal

    dot notation

    double-UUID scheme

    DTS

    DTS,

    dummy operation

    duplicate cell names

    dynamic information, in ID map facility

    e

    earlier, in comparing timestamps

    editor

    Editor, ACL

    editor, ACL,

    editor, registry

    editor, registry (RS)

    editors

    egodicity of DES

    empty PAC

    empty string

    enabling

    Enabling delegation

    encipher

    encode

    encode,

    encode, BER

    encode, pickle

    encoding

    encoding service

    Encoding/Decoding

    encodings

    encrypt

    encrypt,

    encrypted

    encrypted data, data type

    encrypted part of ticket

    encrypted pickle, data type

    encryption

  • DCE Security Replication and Propagation
  • Glossary

    encryption key, data type

    encryption key, in RS information

    encryption key, registered

    encryption type, initialisation

    encryption type, registered

    encryption, CBC

    encryption, in AS response

    encryption, in TGS request

    encryption, MD4 is not

    encryption, MD5 is not

    encryption, notation

    encryption, of partial blocks

    encryption, of ticket

    encryption, trivial

    encryption, type (data type)

    encryption, via DES

    Encryption/Decryption

    end of time

    endianness

    endianness,

    endpoint map

    English, use in common ACL manager

    enhancement not precluded

    entity

    entity, active/passive aspect

    entries

    entry

    entry (ACLE), data type

    entry, ACL

    environment

    environment, distributed

    environment_set

    environmental

    Environmental Parameters,

    environments

    EPAC

  • Privilege (Authorisation) Services
  • EPAC Accessor Function (sec_cred) API
  • Glossary

    EPAC Seal, EPAC Seal

    EPAC sets

    EPAC sets, linked to tickets

    EPAC, Access Functions

    EPAC, input to CADA

    EPACs

    EPACs, Receiving

    EPACs, Transmitting

    epoch,

    equal principals

    ERA

    ERA,

    ERA, disable_time_interval

    ERA, environment_set

    ERA, login_set

    ERA, max_invalid_attempts

    ERA, minimum_password_cycle_time

    ERA, passwd_override

    ERA, password_generation

    ERA, passwords_per_cycle

    ERA, pre_auth_req

    ERA, pwd_mgmt_binding

    ERA, pwd_val_type

    ergodicity

    error

  • Privilege (Authorisation) Services
  • Error Code Mapping List

    error message, KDS

    error status code, data type

    error status code, registered

    error, KDS

    error, KDS (data type)

    error, order of reporting

    error, PS processing

    error, PS, no special data type

    error-detecting property

    error_status_ok, in kds_request

    errors

    escape metacharacter

    establish credential, CL

    establish credential, CO

    establishing identity

    establishment

    evaluate adequacy of security

    exclusive or,

    execute permission

    exotic combinations of ACLs

    expanded, transit path

    expansion

    expiration

    expiration time

    expiration, account

    expiration, checked by KDS server

    expiration, checking

    expiration, in RS information

    expiration, in TGS request

    expiration, in TGS response

    expiration, initialisation

    expiration, of account

    expiration, password

    expire time, interpretation

    EXTENDED

  • Access Control Lists (ACLs)

    extended ACLE information

    extended ACLE type

    extended ACLE, prohibited from common ACL

    extended PAC (EPAC), data type

    Extended Privilege, Attribute Facility

    Extended Registry, Attribute Facility

    EXTENDED, optional in common ACL manager

    extending the naming model

    extension

    f

    F() (used in definition of MD4)

    F() (used in definition of MD5)

    facility

  • ID Map Facility RPC Interface
  • Key Management Facility RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • Glossary

    failed service request

    failure, in received response

    fan-folding

    feasibility, of key search attack

    federated naming

    field

    file group class ACLEs

    file, key table

    final

    final permutation

    fingerprint

    fingerprint,

    first

    first failure encountered

    flag, account's datastore information

    flag, administrative

    flag, authentication

    flag, authentication header

    flag, data type

    flag, KDS request (data type)

    flag, ticket (data type)

    flag, word, POSIX semantics

    flags

    foreign

    foreign ACLE type

    foreign authorisation, data type

    foreign group, in PAC

    foreign groups authorisation, data type

    foreign groupsets authorisation, data type

    foreign secondary group ID

    FOREIGN_GROUP

    FOREIGN_GROUP, algorithm

    FOREIGN_GROUP, limitation in common ACL

    FOREIGN_GROUP, supported by common ACL manager

    FOREIGN_GROUP_DEL, algorithm

    FOREIGN_GROUP_DELEG

    FOREIGN_OTHER

    FOREIGN_OTHER, algorithm

    FOREIGN_OTHER, limitation in common ACL

    FOREIGN_OTHER, supported by common ACL manager

    FOREIGN_OTHER_DEL

    FOREIGN_OTHER_DEL, algorithm

    FOREIGN_OTHER_DELEG

    FOREIGN_USER

    FOREIGN_USER, algorithm

    FOREIGN_USER, limitation in common ACL

    FOREIGN_USER, supported by common ACL manager

    FOREIGN_USER_DEL, algorithm

    FOREIGN_USER_DELEG

    formalisation of security theory

    format

    format, for displaying permission

    format, of PAC

    format, PAC (data type)

    formats

    formatting details,

    forward, combined with proxy

    forwardable, in AS response

    forwardable, in RS information

    forwardable, in TGS request

    forwardable, initialisation

    forwardable, KDS request flag

    forwardable, ticket flag

    FP

    frequency of changing password

    freshness, of authenticator

    frontmatter

    full BER

    full name

    fullname permission

    function

    fundamental

    further

    future work, solve multi-hop trust chain problem

    G() (used in definition of MD4)

    G() (used in definition of MD5)

    G-name

    gecos

    generalities

    generalities on security

    generation of ticket

    generation of weak keys

    generator, of CRC

    generic permissions

    genuine, received ticket

    geographic dispersion

    global

    Global Group Name

    Global Group Name, from Cell UUID and Group UUID

    global KDS cross-registration

    global PGO name

    Global Principal Name, from Cell UUID and Principal UUID

    global root

    global uniqueness

    glossary

    goal of security

    good password

    government, restriction on use of DES

    grace period

    granting access

    granting ticket

    granularity of time

    group

    group delegate

    group domain

    group permission

    group UUID,

    group, ACL manager permission

    group, ACL manager type

    group, ACL manager type UUID

    GROUP, algorithm

    group, identity (data type)

    group, in account item

    group, in PAC

    GROUP, limitation in common ACL

    group, primary vs. secondary

    group, separate namespace

    group, supported ACLE types

    GROUP, supported by common ACL manager

    group-ID

    group-name

    GROUP_DEL, algorithm

    GROUP_DELEG

    GROUP_OBJ

    GROUP_OBJ, algorithm

    GROUP_OBJ, at most one

    GROUP_OBJ, optional in common ACL manager

    GROUP_OBJ/GROUP/FOREIGN_GROUP

    GROUP_OBJ_DEL, algorithm

    GROUP_OBJ_DEL/GROUP_DEL/FOREIGN_GROUP_DEL

    GROUP_OBJ_DELEG

    groups

    guarantee, that SCD server is genuine

    guarantee, unique stringname

    guessing password

    H() (used in definition of MD4)

    H() (used in definition of MD5)

    hand-rolled pickle

    handle

    handle, binding, annotating

    Handle, for Privilege Attribute Data

    handle, protected, obtain

    handle, RPC binding

    handle_t

    hardware

    hardware, basis of key security

    hash

    hash,

    hash, CRC-32

    header

  • Privilege (Authorisation) Services

    header, authentication (data type)

    header, authentication, omitted

    header, authentication, processing

    header, client sends authentication

    header, of PDU

    header, of pickle

    header, privilege authentication (data type)

    header, privilege RA (data type)

    header, RA, client receives

    header, reverse authentication (data type)

    header, version number

    headers

    helpstring

    helpstring, and common ACL manager

    helpstring, common

    helpstrings

    hierarchy, of principals, groups and orgs

    hierarchy, organisational

    high-level ACL manipulation, not specified

    high-order bit, use of, in permission

    hint, in secidmap interface

    home

    home cell

    home cell,

    home directory

    honouring a ticket, time constraints on

    hop, in RS information

    host

    host address, communications, not security

    host address, data type

    host address, registered

    host principal name

    host-name, reserved account

    host-name, reserved name

    host-name, versus other machine name

    hot list, in RS information

    human understanding of security

    human-friendly stringname, in PGO item

    human-readable

    I() (used in definition of MD5)

    ID

    ID map facility

    ID map facility, bidirectional mapping

    identifier, definitive

    identifier, of RPC transfer syntax

    identifying

    identities

    identity

    identity, authorisation (data type)

    identity, authorisation, by PS

    identity, certainty of

    identity, data type

    identity, establishing

    identity, in AS response

    identity, in Kerberos protocol

    identity-based policy

    IDL, specifies pickles

    IDL/NDR

    idl_pkl_header_t,

    ignorance of algorithm

    illicit use of resources

    immediate

    impersonation

    implementation

    implementation requirement

    implementation variability

    implementation variability, in header processing

    implementation, not constrained by pseudocode

    import/export of DES

    in

    in_data

    in_data, CL

    indicator of position

    indirect trust

    indirect trust chain

    infallibility, relative

    infinite privilege

    information

    information, administration-level

    information, registry (RS)

    information, RS (data type)

    inheritance

    inheritance model

    inheritance of ACLs

    inheritance rules, and common ACL manager

    inheritance, of login context

    init process, login context

    init, use of sec_login API

    initial

    initial ACL,

    initial container ACL,

    initial key

    initial object ACL,

    initial permutation

    initial registration

    initial ticket, issuing

    initialisation vector, DES

    initialisation vector, of CRC

    initialise

    initialise permission

    initiator

    input

    Input/Output

    insecure

    insert permission

    instance

    instance, synonymous with server

    integer

    integer, mapping to bit-sequence

    integer, mapping to byte-sequence

    integer, mapping to mixed bit/byte-sequence

    integers

    integration

    integration with time services

    integrator

    integrity

    integrity,

    integrity, built-in

    integrity, CL

    integrity, CO

    integrity, protected by DES

    integrity, protected by DES-MD4/5

    intended

    intentional request, of cross-cell referral ticket

    inter-cell coordination

    interaction

    intercell

    intercell_action

    intercell_action, Algorithm

    interchangeability, of CADA steps

    interests of client

    interface

  • RS Editor RPC Interfaces
  • The rs_policy RPC Interface
  • Interface UUID and Version Number for rs_policy
  • The rs_pgo RPC Interface
  • Interface UUID and Version Number for rs_pgo
  • The rs_acct RPC Interface
  • Interface UUID and Version Number for rs_acct
  • The rs_misc RPC Interface
  • Interface UUID and Version Number for rs_misc
  • The rs_attr RPC Interface
  • Interface UUID for rs_attr
  • The rs_attr_schema RPC Interface
  • Interface UUID for rs_attr_schema
  • The rs_prop_acct RPC Interface
  • Interface UUID and Version Number for rs_prop_acct
  • The rs_prop_acl RPC Interface
  • Interface UUID and Version Number for rs_prop_acl
  • The rs_prop_attr RPC Interface
  • Interface UUID and Version Number for rs_prop_attr
  • The rs_prop_attr_schema RPC Interface
  • Interface UUID and Version Number for rs_prop_attr_schema
  • The rs_prop_pgo RPC Interface
  • Interface UUID and Version Number for rs_prop_pgo
  • The rs_prop_plcy RPC Interface
  • Interface UUID and Version Number for rs_prop_plcy
  • The rs_prop_replist RPC Interface
  • Interface UUID and Version Number for rs_prop_replist
  • The rs_pwd_mgmt RPC Interface
  • Interface UUID and Version Number for rs_pwd_mgmt
  • The rs_qry RPC Interface
  • Interface UUID and Version Number for rs_qry
  • The rs_repadm RPC Interface
  • Interface UUID and Version Number for rs_repadm
  • The rs_replist RPC Interface
  • Interface UUID and Version Number for rs_replist
  • The rs_repmgr RPC Interface
  • Interface UUID and Version Number for rs_repmgr
  • The rs_rpladmn RPC Interface
  • Interface UUID and Version Number for rs_rpladmn
  • The rs_unix RPC Interface
  • Interface UUID and Version Number for rs_unix
  • The rs_update RPC Interface
  • Interface UUID and Version Number for rs_update
  • ID Map Facility RPC Interface
  • The secidmap RPC Interface
  • Common Data Types and Constants for the secidmap Interface
  • Interface UUID and Version Number for the secidmap Interface
  • Key Management Facility RPC Interface
  • The Key Management RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • The scd RPC Interface
  • Common Data Types and Constants for scd Interface
  • Interface UUID and Version Number for scd Interface
  • Part 3

    interface UUID, ACLs

    interface UUID, rs_acct

    interface UUID, rs_attr

    interface UUID, rs_attr_schema

    interface UUID, rs_bind

    interface UUID, rs_misc

    interface UUID, rs_pgo

    interface UUID, rs_policy

    interface UUID, rs_prop_acct

    interface UUID, rs_prop_acl

    interface UUID, rs_prop_attr

    interface UUID, rs_prop_attr_schema

    interface UUID, rs_prop_pgo

    interface UUID, rs_prop_plcy

    interface UUID, rs_prop_replist

    interface UUID, rs_pwd_mgmt

    interface UUID, rs_qry

    interface UUID, rs_repadm

    interface UUID, rs_replist

    interface UUID, rs_repmgr

    interface UUID, rs_rpladmn

    interface UUID, rs_unix

    interface UUID, rs_update

    interface UUID, scd

    interface UUID, secidmap

    interface, administrative

    interface, RPC

    Interface, rpriv

    Interface, sec_id_epac_base

    interfaces

    intermediary

    intermediate

    intermediate cell in trust chain

    Internet host name, versus host-name

    Internet, DNS name type

    Internet, registered address type

    interpret, ticket

    interval, data type

    introduction, replication and propagation

    introduction, security services

    intuitive model

    invalid, ticket flag

    inverse initial permutation

    invisible, password

    IP

    irreducible generator

    is

    ISO 8859-1

    ISO, registered address type

    issues

    issuing cell TCB

    issuing credential

    issuing initial ticket

    item

    item,

    item, policy

    items

    iteration

    junction, namespace

    KDC (RFC 1510)

    KDS

  • KDS Errors
  • AS Request/Response Processing
  • TGS Request/Response Processing
  • KDS Error Processing
  • Privilege (Authorisation) Services

    KDS request, data type

    KDS server, must be principal

    KDS,

    KDS, as registry client

    KDS, at least one per cell

    KDS, basis of name-based authorisation

    KDS, counterfeit

    KDS, error (data type)

    KDS, error message

    KDS, error processing

    KDS, invoked only indirectly

    KDS, knowledge of foreign servers

    KDS, password irrelevant to

    KDS, request body bgcolor="#FFFFFF" (data type)

    KDS, request flag (data type)

    KDS, response (data type)

    KDS, response, encrypted part

    KDS, server receives TGS request

    KDS, TGS request/response processing

    KDS, ticket obtained at login

    KDS, two services

    KDS, use of protected RPC

    kds_request(), overview

    kerberos

    Kerberos,

    Kerberos, and use of most recent key

    Kerberos, maximum ticket lifetime

    Kerberos, outline of protocol

    Kerberos, registered service

    Kerberos, unregisterable data

    kerckhoffs

    kerckhoffs´

    Kerckhoffs', doctrine

    key

  • Key Management Facility RPC Interface
  • The Key Management RPC Interface
  • Common Data Types and Constants for Key Management
  • Key Management API
  • Glossary

    key distribution service (KDS),

    key distribution service,

    key management facility,

    key management, no special RPC interfaces

    key schedule

    key type

    key version number, presence/absence of

    key,

    key, deletion of

    key, DES

    key, DES (data type)

    key, distributed by KDS

    key, distribution service

    key, encryption (data type)

    key, exactly one per account

    key, frequency of changes

    key, in AS response

    key, in Kerberos protocol

    key, in TGS response

    key, limit on duration of validity

    key, long-term

    key, long-term, retrieval

    key, long-term/short-term

    key, lookup, in PGO item

    key, management

    key, mapping to password, registered

    key, MD4 does not depend on

    key, MD5 does not depend on

    key, most recent

    key, possibly-weak

    key, query, type

    key, safe lifetime

    key, search attack

    key, semi-weak

    key, session

    key, session/conversation

    key, to be avoided

    key, true session

    key, type, in RS information

    key, version number

    key, weak

    key-based

    key_seq_num

    keying information

    keys

  • Key Distribution (Authentication) Services

    knowledge

    knowledge of foreign KDS servers

    knowledge,

    krb5rpc

    krb5rpc identity, element of cell-profile node

    krb5rpc, metadata explicit in

    krb5tgt, reserved account

    krb5tgt, reserved name

    krbtgt

    KS

    language, natural

    LAS+TGS,

    last

    last request, data type

    last request, in RS information

    last request, in TGS response

    last request, inspection

    last request, registered

    later, end of time timestamp

    later, in comparing timestamps

    laws

    laws, composition

    least privilege

    least-significant byte (LSB),

    left

    left shift, in DES

    left shift/rotate

    legal ACL

    length

    length, of pickle

    length, password

    lifetime timestamp

    lifetime, account

    lifetime, in AS request

    lifetime, in registry property

    lifetime, of key in DES

    lifetime, of ticket

    lifetime, password

    lifetime, renewable

    lifetime, ticket

    lifetime, ticket, in RS information

    link, in trust chain

    linking

    links of chains

    list

  • Access Control List API
  • Error Code Mapping List
  • Glossary

    list of UUIDs

    list, access control (ACL),

    list, of pointers to ACL

    lists

    literature, current

    little-endian,

    local

    local ACLE type

    local authorisation, vs. foreign

    local cell UUID,

    local group, in groupset

    local group, in PAC

    local ID

    local ID, account (data type)

    local ID, lookup by

    local key store, management of keys in

    local password, data type

    locate

    lock,

    locking, semantics not specified

    logical security,

    login

  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • Login API
  • Glossary

    login context, non-interactive basis

    Login Denial

    Login Denial, Client Overview

    Login Denial, Overview

    Login Denial, Server Overview

    login facility,

    Login Functions, for delegation

    login name, equals account name

    login program,

    login request protocol

    login response protocol

    login shell

    login, availability of characters

    login_set

    long

    long PGO name

    long-term key

    long-term key, in RS information

    long-term key, one per account

    long-term key, retrieval

    longword,

    lookup by local ID

    lookup by UUID

    lookup key, data type

    lookup, result

    lost, information in PTGS request

    low-order bit, use of, in permission

    LS

    LSB,

    lt;dce/acct.h>

    lt;dce/aclbase.h>

    lt;dce/binding.h>

    lt;dce/keymgmt.h>

    lt;dce/misc.h>

    lt;dce/pgo.h>

    lt;dce/policy.h>

    lt;dce/rgynbase.h>

    lt;dce/sec_login.h>

    lt;dce/sec_rgy_attr.h>

    lt;dce/sec_rgy_attr_sch.h>

    lt;dce/secidmap.h>

    machine name, versus host-name

    machine principal name

    management

  • Key Management Facility RPC Interface
  • The Key Management RPC Interface
  • Common Data Types and Constants for Key Management
  • Key Management API
  • Glossary

    management information permission

    manager

  • RS Editor RPC Interfaces
  • Glossary

    manager, ACL,

    managers

  • ACL Managers

    managing keys

    mandatory policy

    manipulated old ticket

    map

    map, endpoint

    map, password to cryptographic key

    mapping

    mapping, password-to-key, registered

    mappings

    marshall, pickle

    mask ACLE type

    MASK_OBJ

    MASK_OBJ, and sec_acl_calc_mask()

    MASK_OBJ, at most one

    MASK_OBJ, optional in common ACL manager

    masking step in CADA

    masking step in DADA

    masquerade

    master

    master replica

    master/slave RS server

    matching

    matching step in CADA

    matching step in DADA

    mathematical probability

    matrix, access

    max_invalid_attempts

    maxClockSkew

    maximum

    maximum clock skew

    maximum clock skew, in RS information

    maximum ticket lifetime

    MD4

    MD4,

    MD4, no raw interface

    MD5

    MD5,

    MD5, no raw interface

    MD5, usage to ensure integrity

    mechanism

    mechanism,

    mechanisms

    mediation, of trust link across cells

    member of group,

    membership permission

    memorisation of password

    memory, inability to allocate

    message

  • Glossary

    Message Digest 5 (MD5),

    message digest, produced by MD4

    message digest, produced by MD5

    message identity code (MIC),

    message type, data type

    message type, in KDS Error message

    message,

    message, KDS Error

    message, notation

    messages

    metacharacter, escaping

    metacharacter, in cell name

    metacharacter, in transit path

    metadata

    metadata, pickle header

    metadata, tickets and authenticators

    metaticket,

    MIC,

    microsecond timestamp

    microsecond timestamp, alternative implementation

    microsecond, checked by KDS server

    microsecond, in KDS Error message

    microseconds

    minimum

    minimum implementation requirement

    minimum number of octets

    minimum_password_cycle_time

    mirrored RS server

    miscellaneous

    misuse of resources

    mix-in string

    mixed

    mixed bit/byte-sequence, mapping to integer

    mode

    mode, access

    model

    model of security,

    model, extend to multi-cell case

    model, extension of

    model, federated naming

    model, inheritance

    model, programming, RPC

    model, RPC binding

    model, shape, trusted

    models

    models, academic

    modes

    modification, date/time

    modular

    modular arithmetic

    monitor

    monitor, reference

    most recent key

    most-significant byte (MSB),

    MSB,

    multi-cell TCB

    Multi-Hop

    multi-hop trust chain

    multi-prong

    multi-prong attack

    multi-valued

    multiple

    multiple ACLs,

    multiple UUIDs

    mutual authentication

    mutual authentication, checked by KDS server

    mutual authentication, future work

    mutual authentication, in TGS request

    mutual authentication, of TGS service

    mutual required

    mutual trust

    n-tuple

    name permission

    name, data type

    name, full

    name, global PGO

    name, mapping by ID map facility

    name, of account

    name, of cell (data type

    name, principal (data type)

    name, reserved

    name, RS (data type)

    name-based

    name-based authorisation

    name-based group, not supported

    named client

    named client, in privilege ticket

    names

  • RS Editor RPC Interfaces
  • ID Map Facility RPC Interface

    namespace junction

    namespace, separate

    NAMETYPE

    naming

    naming domain

    naming domain, data type

    naming model, extension of

    naming services, integration with security

    naming syntax, CDS

    natural language

    NDR format label

    NDR, encoding/marshalling of pickles

    NDR, not used in pickle fields

    needed

    negation, boolean,

    negotiation, in RS information

    negotiation, of conversation key

    network

    network delay

    network identity information, mapped at login

    network login context

    network TCB,

    network, compromise

    new ticket

    newly issued ticket

    next hop, in RS information

    nibble, not used in this specification

    no-op

    no-op, protected

    node, RPC cell profile

    nominate client,

    nominated client

    non-alphabetic, required in password

    non-cryptographic checksum

    non-empty, header and body bgcolor="#FFFFFF" of pickle

    non-interactive subject, and key management facility

    Non-Intermediary

    non-invertible digest

    non-linearity of DES

    nonce, as challenge

    nonce, checking

    nonce, data type

    nonce, in AS request

    nonce, in TGS request

    nonce, in TGS response

    nonce, initialisation

    nonces

    none, reserved group name

    none, reserved organisation name

    normal form, bytes of DES key

    not,

    notation

    notation,

    notation, for CBC encryption/decryption

    notation, for decryption

    notation, for encryption

    notes

    number

    number, random (data type)

    number, sequence (data type)

    numbers

    numerical rotation

    numerical rotation,

    O-name

    object

    object ACL,

    object,

    object, control of access to

    object, group

    object, identity of

    object, organisation

    object, principal

    object, protected

    object, underlying

    object, uniqueness of identification

    objective criterion of belief

    objects

    obscurity

    obtaining

    odd parity

    old ticket, manipulated

    one-way authentication in sec_acl

    opaque pointer, login context as

    opaque RPC transport

    opaque, cell name

    open

    operating system

    operating system, basis of key security

    operation, on bit-sequences

    operations

    opinion

    optimisation

    option

    optional

    OR,

    order of reporting errors

    ordering

    org-name

    organisation domain

    organisation, ACL manager permission

    organisation, ACL manager type

    organisation, ACL manager type UUID

    organisation, identity (data type)

    organisation, in account item

    organisation, policy information

    organisation, separate namespace

    organisation, supported ACLE types

    organization-ID

    organization-name

    original RPC

    origination

    OTHER_OBJ

    OTHER_OBJ, algorithm

    OTHER_OBJ, at most one

    OTHER_OBJ, supported by common ACL manager

    OTHER_OBJ_DEL

    OTHER_OBJ_DEL, algorithm

    OTHER_OBJ_DELEG

    out of band

    out_data

    out_data, in CL security

    outline

    outline of specification

    outline, of Kerberos protocol

    output

    overlap, of security domains

    overview

    owner, can control object's ACL

    owning group

    owning user

    p

    P-name

    PA header, received by server

    PA, client sends header

    PAC

  • Glossary

    PAC attribute, in RS information

    PAC format, data type

    PAC, (Set of) Extended (EPACs)

    PAC, contained in privilege ticket

    PAC, data type

    PAC, empty

    PAC, Extended (EPAC)

    PAC, pickled

    PAC-based

    PAC-based authorisation

    PAC-based PS

    PACs

    padata

    padding

    padding bits

    pair of UUIDs

    parameters

    parent object,

    parity, odd in DES key

    part

    part of KDS response

    part of message, notation

    part of RA header to be encrypted

    part of ticket to be encrypted

    partial block, encryption of

    partial qualification

    partitioned RPC

    partitioned, RPC service

    partitioning, of network TCB

    passive aspect

    passive bits of DES vector

    passive bits, destroying

    Passsword Strength

    passwd_override

    password

  • Glossary

    Password Expiration

    Password Management

    Password Management,

    Password Management, Overview

    password, and key search attack

    password, basis of long-term key

    password, change

    password, changing

    password, data type

    password, expiration

    password, level of confidence in

    password, lifetime

    password, minimum length

    password, not to be sent remotely

    password, policy restriction

    password, requested at login

    password, valid

    password, version number

    password-changing program

    Password-to-Key

    password-to-key mapping, registered

    password_generation

    passwords

    passwords_per_cycle

    path

    path, transit

    paths

    PC1

    PC1, PC2

    PC2

    PCS

    PCS, in printstring

    PDU

    PDU, verifier and body bgcolor="#FFFFFF"

    pepper

    per-cell PGO UUID

    per-end-principal, in RS information

    per-foreign-KDS, in RS information

    performance

    permission

    permission set

    permission, and common ACL manager

    permission, bit position

    permission, common

    permission, display format

    permission, exceeding maximum number

    permission, in ACLE

    permission, list

    permission, maximum number

    permission, semantics unspecified

    permissions

    permissions, not supported in name-based

    permutation

    permutation mapping

    permuted

    permuted choices

    PGO

    PGO item, attribute (data type)

    PGO item, data type

    PGO item, definitive identifier

    PGO name, mapping into components

    PGO name, short and long

    PGO UUID

    PGO, global name

    PGO, protected with ACLs

    pgo-ID

    PGO-name,

    physical security

    pickle

    pickle,

    pickle, data type

    pickle, in extended ACLE

    pickle, type (data type)

    pickled

    pickled PAC

    pickled PAC, in privilege-ticket

    pickles

    piggy-back

    pkl_length_hi

    pkl_length_low

    pkl_syntax

    pkl_type

    pkl_version

    plaintext

    plaintext, operated on by DES

    plaintext, pre-encrypted

    pointer, opaque, login context as

    pointer, to ACL

    policies

    policy

    policy attribute

    policy item

    policy item,

    policy,

    policy, ACL manager permission

    policy, ACL manager type

    policy, ACL manager type UUID

    policy, authentication

    policy, examples

    policy, in policy item

    policy, in registry property

    policy, of organisation

    policy, organisation

    policy, protected with ACLs

    policy, restriction on password

    policy, supported ACLE types

    polymorphic, no registry item is

    polymorphism

    polynomial, definition of CRC

    poor cryptographic characteristic

    port 88

    portability, seat

    portable character set

    portable character set, in printstring

    posited trust

    position indicator

    POSIX, and MASK_OBJ

    POSIX, draft rule for common ACL

    POSIX, extent of semantics

    POSIX, group

    POSIX, home directory

    POSIX, login shell

    POSIX, owner

    possibly

    possibly-weak keys,

    postdatable, in AS response

    postdatable, in RS information

    postdatable, in TGS request

    postdatable, initialisation

    postdatable, KDS request flag

    postdatable, ticket flag

    power, of polynomial defining CRC

    Pre-Aauthentication

    Pre-Authentication

    pre-authentication data

    Pre-Authentication, Overview

    Pre-authentication, protocol

    pre-encrypted plaintext

    pre-installation

    pre_auth_req

    preface

    prefixed name type

    primary group, in account item

    principal

    principal domain

    principal domain, and aliases

    principal name, data type

    principal name, not a parameter in sec_acl

    principal stringname, conceptual part of login context

    principal UUID,

    principal, ACL manager permission

    principal, ACL manager type

    principal, ACL manager type UUID

    principal, cell,

    principal, equal vs. distinct across cells

    principal, identity (data type)

    Principal, input to CADA

    principal, KDS server must be

    principal, separate namespace

    principal, supported ACLE types

    principal-ID

    principal-name

    printable stringname (data type

    printstring

    printstring, and common ACL manager

    printstring, common

    printstring, data type

    printstring, permission

    printstrings

    priori

    privacy

    privilege

  • Glossary

    privilege attribute

    privilege attribute certificate (PAC),

    privilege attribute certificate, data type

    privilege authentication header, client sends

    privilege authentication header, data type

    privilege authentication/RA header

    privilege RA header, data type

    privilege service (PS),

    privilege service,

    privilege service, PAC-based

    privilege ticket

    privilege ticket granting service

    privilege ticket, not used in name-based authorisation

    privilege ticket, use in PS

    privilege, infinite

    privilege, service

    privilege-ticket,

    privilege-ticket, data type

    privilege-ticket-granting-ticket

    Privilege-Tickets

    probability

    process, context at start-up

    process, no correspondence with login context

    processing

    processing, AS request/response

    processing, header/RA header

    processing, privilege authentication/RA header

    processing, TGS request/response

    product

    profile

    programming

    programming model

    prompt, login

    propagation

    proper use of resources

    properties

    property, chaining

    property, in policy item

    property, of RS server (data type)

    protected

    protected communication, start of

    protected handle, obtain

    protected object

    protected password

    protected password, data type

    protected RPC,

    protecting security attribute

    protection ACL,

    protection of ticket

    protection, of AS response

    protection_level

    protocol

  • Protected RPC

    protocol data unit

    protocol message type, data type

    protocol message type, registered

    protocol tower

    protocol version number, data type

    protocol version number, registered

    protocol, Kerberos

    protocol, RPC (list)

    protocol, trusted

    protocols

    provability

    proxiable, in AS response

    proxiable, in RS information

    proxiable, in TGS request

    proxiable, initialisation

    proxiable, KDS request flag

    proxiable, ticket flag

    proximity and trust

    proxy, combined with forward

    PS

    PS error, no special data type

    PS request

    PS response

    PS,

    PS, as registry client

    PS, at least one per cell

    PS, error processing

    PS, no direct API

    PS, not visited in name-based authorisation

    PS, use of protected RPC

    ps_app_tkt_result_t

    ps_attr_request_t

    ps_attr_result_t

    ps_message_t

    ps_request_become_delegate

    ps_request_become_delegate(), overview

    ps_request_become_impersonator

    ps_request_become_impersonator(), overview

    ps_request_eptgt

    ps_request_eptgt(), overview

    ps_request_ptgt

    ps_request_ptgt(), overview

    pseudocode

    PTGS

    PTGS request, client sends

    PTGS request, data type

    PTGS request, lost information

    PTGS request, PS server receives

    PTGS response, client receives

    PTGS response, data type

    PTGS service

    PTGS, request/response processing

    PTGT

    public-key certificate

    publications

    pwd_mgmt_binding

    pwd_val_type

    Q[]

    quadratic vector Q[]

    quadword,

    qualification, partial

    quality, of nonce generator

    quality, of random number generator

    query

    query key, data type

    query key, type

    Query Triggers

    query, result

    queue

    quota

    quota,

    RA header processing

    RA header, client receives

    RA header, sent by server

    RA, header, client receives

    random

    random number, data type

    rationale, for extended ACLE

    raw UDP

    rdacl

    rdacl,

    rdacl, enumeration of functions

    rdacl_get_*(), basis of sec_acl_get_*()

    rdacl_get_access

    rdacl_get_access(), overview

    rdacl_get_manager_types

    rdacl_get_manager_types(), overview

    rdacl_get_mgr_types_semantics

    rdacl_get_mgr_types_semantics(), overview

    rdacl_get_printstring

    rdacl_get_printstring(), overview

    rdacl_get_referral

    rdacl_get_referral(), overview

    rdacl_lookup

    rdacl_lookup(), and EXTENDED ACLE type

    rdacl_lookup(), overview

    rdacl_place_holder_1

    rdacl_place_holder_1(), overview

    rdacl_replace

    rdacl_replace(), may modify RS data

    rdacl_replace(), overview

    rdacl_replace(), replacing old ACL

    rdacl_test_access

    rdacl_test_access(), overview

    rdacl_test_access_on_behalf(), overview

    read permission

    read, protection against

    read-only, RS site

    readable server

    realm

    realm name,

    realm,

    realm, usage in RFC 1510

    receives

    receiving

    reduction

    redundancy

    redundant UUIDs

    reference

    reference monitor

    reference monitor, RS

    referenced

    referent, of ACLE

    referent, of UUID

    referral ticket

    regarding

    registered

    registered authentication data type

    registered authentication service

    registered authorisation data type

    registered authorisation service

    registered cell name syntax

    registered checksum type

    registered CRC

    registered encryption key type

    registered encryption type

    registered error status code

    registered host address type

    registered last request

    registered password-to-key mapping

    registered protocol message type

    registered protocol version number

    registered RS name

    registered transit path type

    registration

    registration service,

    registration, cross-

    registration, cross-cell

    registration, of RS

    registry

    Registry Attributes

    registry editor

    registry information

    registry name, data type

    registry policy, conceptual part of login context

    registry property

    registry,

    registry, ACL manager types supported

    registry, editor

    rejection, of PAC without authentication

    relative infallibility

    relatively well-formed ACL,

    reliability

    remainder

    remote

    Remote Interfaces, Delegation

    renew, in TGS request

    renewable lifetime

    renewable, in AS response

    renewable, in RS information

    renewable, in TGS request

    renewable, initialisation

    renewable, KDS request flag

    replay

    replay attack

    replay attack, detecting via nonce

    replay cache, in RS information

    replay cache, server checks timestamp against

    replica

  • Replica Information
  • Replica State
  • Slave Replica
  • Creating a Replica
  • Delete A Replica
  • RS Editor RPC Interfaces

    replica overview

    replica state, data type

    replica, synonymous with server

    replicas

    replication

    replication model, protocol is future work

    replication, of network TCB

    replication, of RS service

    replist, ACL manager permission

    replist, ACL manager type UUID

    replist, supported ACLE types

    representations

    repudiation

    request

    request processing, TGS

    request, AS

    request, AS, receipt of

    request, KDS

    request, processing by AS

    request, PTGS (data type)

    request, PTGS processing

    request, PTGS, received

    request, service

    request, TGS

    request, TGS, receipt of

    Request/Response

    requestor

    requests

    required

    required item

    requirements

    reserved name

    resolution-with-residual support

    resource, proper/improper use

    response

    response processing, TGS

    response, AS

    response, AS, received by client

    response, AS, sending of

    response, processing by AS

    response, PTGS (data type)

    response, PTGS processing

    response, PTGS,

    response, PTGS, received

    response, service

    response, TGS

    response, TGS, construction of

    response, TGS, receiving

    response, TGS, sending

    responses

    responsibility, of server

    restriction

    restrictions, data type

    Restrictions, Delegate

    Restrictions, Optional

    Restrictions, Required

    Restrictions, Target

    reverse authentication, client receives header

    reverse authentication, header (data type)

    reverse authentication, header omitted

    reverse authentication, header processing

    reverse authentication, server sends header

    reverse authenticator

    REVERSE transformation

    Reverse-)Authentication

    Reverse-Authentication

  • Privilege (Authorisation) Services

    revocation, in RS information

    revoke, implicit when key is deleted

    revoke, ticket

    RFC 1320

    RFC 1321

    RFC 1510

    RFC 1510, expire time

    RFC 1510, in CL security

    rights

    rights, implementation variability

    rigour

    ritual, login

    root, global

    rotation

    rotation,

    rotations

    rounds

    routines

    RPC

  • ACL Editor RPC Interface
  • The rdacl RPC Interface
  • RS Editor RPC Interfaces
  • The rs_bind RPC Interface
  • The rs_policy RPC Interface
  • The rs_pgo RPC Interface
  • The rs_acct RPC Interface
  • The rs_misc RPC Interface
  • The rs_attr RPC Interface
  • The rs_attr_schema RPC Interface
  • The rs_prop_acct RPC Interface
  • The rs_prop_acl RPC Interface
  • The rs_prop_attr RPC Interface
  • The rs_prop_attr_schema RPC Interface
  • The rs_prop_pgo RPC Interface
  • The rs_prop_plcy RPC Interface
  • The rs_prop_replist RPC Interface
  • The rs_pwd_mgmt RPC Interface
  • The rs_qry RPC Interface
  • The rs_repadm RPC Interface
  • The rs_replist RPC Interface
  • The rs_repmgr RPC Interface
  • The rs_rpladmn RPC Interface
  • The rs_unix RPC Interface
  • The rs_update RPC Interface
  • ID Map Facility RPC Interface
  • The secidmap RPC Interface
  • Key Management Facility RPC Interface
  • The Key Management RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • The scd RPC Interface

    RPC binding handle

    RPC interface

    RPC PDU

    RPC server

    RPC, binding model

    RPC, integration with security

    RPC, profile node

    RPC, protected,

    RPC, transfer syntax, in pickle

    RPC, used by all security servers

    rpc_biding_set_auth_info(), in login facility

    rpc_binding_inq_auth_caller(), overview

    rpc_binding_inq_auth_client(), overview

    rpc_binding_inq_auth_info(), overview

    rpc_binding_set_auth_info()

    rpc_binding_set_auth_info(), overview

    rpc_c_authz_name

    rpc_c_protect_level constants

    rpc_mgmt_inq_server_princ_name(), overview

    rpc_mgmt_set_authorization_fcn(), overview

    rpc_ns_binding_import_*(), binding to security

    rpc_ns_entry_inq_resolution(), with residual operation

    rpc_server_register_auth_info(), overview

    rpc_syntax_id_t,

    rpriv

    rpriv identity, element of cell-profile node

    rpriv, metadata explicit in

    RS

  • Key Distribution (Authentication) Services
  • RS Information
  • Privilege (Authorisation) Services
  • RS Editor RPC Interfaces
  • RS Protected Objects and their ACL Manager Types
  • Common Data Types and Constants for RS Editors

    RS binding

    RS datastore, data type

    RS datastore, lookup by local ID

    RS datastore, lookup by UUID

    RS datastore, management of keys in

    RS datastore, query (lookup) key

    RS datastore, quota

    RS datastore, user-level information

    RS editor

    RS editor RPC interface, future work

    RS information

    RS name, data type

    RS name, registered

    RS namespace, data type

    RS server, properties (data type)

    RS,

    RS, ACL manager types supported

    RS, as reference monitor

    RS, at least one per cell

    RS, information (data type)

    RS, must be registered

    RS, policy attribute

    rs_acct

  • RS Editor RPC Interfaces

    rs_acct RPC interface

    rs_acct_add

    rs_acct_add(), limited by quota

    rs_acct_add(), may modify RS data

    rs_acct_add(), overview

    rs_acct_add(), use of rs_acct_key_transmit_t

    rs_acct_delete

    rs_acct_delete(), may modify RS data

    rs_acct_delete(), overview

    rs_acct_get_projlist

    rs_acct_get_projlist(), overview

    rs_acct_get_projlist(), part of rs_login_get_info()

    rs_acct_info_t

    rs_acct_key_transmit_t

    rs_acct_key_transmit_t, data type

    rs_acct_lookup

    rs_acct_lookup(), honours sec_rgy_prop_shadow_password

    rs_acct_lookup(), overview

    rs_acct_lookup(), part of rs_login_get_info()

    rs_acct_parts_t

    rs_acct_parts_t, data type

    rs_acct_rename

    rs_acct_rename(), may modify RS data

    rs_acct_rename(), overview

    rs_acct_replace

    rs_acct_replace(), may modify RS data

    rs_acct_replace(), overview

    rs_acct_replace(), use of rs_acct_key_transmit_t

    rs_attr

    rs_attr RPC interface

    rs_attr_cursor_init

    rs_attr_cursor_init(), overview

    rs_attr_cursor_t

    rs_attr_cursor_t, data type

    rs_attr_delete

    rs_attr_delete(), overview

    rs_attr_get_effective

    rs_attr_get_effective(), overview

    rs_attr_get_referral

    rs_attr_get_referral(), overview

    rs_attr_lookup_by_id

    rs_attr_lookup_by_id(), overview

    rs_attr_lookup_by_name

    rs_attr_lookup_by_name(), overview

    rs_attr_lookup_no_expand

    rs_attr_lookup_no_expand(), overview

    rs_attr_schema

    rs_attr_schema RPC interface

    rs_attr_schema_aclmgr_strings

    rs_attr_schema_aclmgr_strings(), overview

    rs_attr_schema_create_entry

    rs_attr_schema_create_entry(), overview

    rs_attr_schema_cursor_init

    rs_attr_schema_cursor_init(), overview

    rs_attr_schema_delete_entry

    rs_attr_schema_delete_entry(), overview

    rs_attr_schema_get_acl_mgrs

    rs_attr_schema_get_acl_mgrs(), overview

    rs_attr_schema_get_referral

    rs_attr_schema_get_referral(), overview

    rs_attr_schema_lookup_by_id

    rs_attr_schema_lookup_by_id(), overview

    rs_attr_schema_lookup_by_name

    rs_attr_schema_lookup_by_name(), overview

    rs_attr_schema_scan

    rs_attr_schema_scan(), overview

    rs_attr_schema_update_entry

    rs_attr_schema_update_entry(), overview

    rs_attr_test_and_update

    rs_attr_test_and_update(), overview

    rs_attr_update

    rs_attr_update(), overview

    rs_auth_policy_get_effective

    rs_auth_policy_get_effective(), overview

    rs_auth_policy_get_info

    rs_auth_policy_get_info(), overview

    rs_auth_policy_set_info

    rs_auth_policy_set_info(), may modify RS data

    rs_auth_policy_set_info(), overview

    rs_bind

    rs_bind identity, element of cell-profile node

    rs_bind interface

    rs_bind RPC interface

    rs_bind_get_update_site

    rs_bind_get_update_site(), overview

    rs_cache_data_t

    rs_cache_data_t, data type

    rs_check_consistency

    rs_check_consistency(), overview

    rs_encrypted_pickle_t

    rs_encrypted_pickle_t, data type

    rs_login_get_info

    rs_login_get_info(), honours sec_rgy_prop_shadow_password

    rs_login_get_info(), overview

    rs_login_info_t

    rs_login_info_t, data type

    rs_misc

    rs_misc interface

    rs_misc RPC interface

    rs_ns_entry_validate

    rs_pgo

  • RS Editor RPC Interfaces

    rs_pgo RPC interface

    rs_pgo_add

    rs_pgo_add(), limited by quota

    rs_pgo_add(), may modify RS data

    rs_pgo_add(), overview

    rs_pgo_add_member

    rs_pgo_add_member(), may modify RS data

    rs_pgo_add_member(), overview

    rs_pgo_delete

    rs_pgo_delete(), may modify RS data

    rs_pgo_delete(), overview

    rs_pgo_delete_member

    rs_pgo_delete_member(), may modify RS data

    rs_pgo_delete_member(), overview

    rs_pgo_get

    rs_pgo_get(), overview

    rs_pgo_get_members

    rs_pgo_get_members(), overview

    rs_pgo_id_key_t

    rs_pgo_id_key_t, data type

    rs_pgo_is_member

    rs_pgo_is_member(), overview

    rs_pgo_key_transfer

    rs_pgo_key_transfer(), overview

    rs_pgo_query_key_t

    rs_pgo_query_key_t, data type

    rs_pgo_query_result_t

    rs_pgo_query_result_t, data type

    rs_pgo_query_t

    rs_pgo_query_t, data type

    rs_pgo_rename

    rs_pgo_rename(), may modify RS data

    rs_pgo_rename(), overview

    rs_pgo_replace

    rs_pgo_replace(), may modify RS data

    rs_pgo_replace(), overview

    rs_pgo_result_t

    rs_pgo_result_t, data type

    rs_pgo_unix_num_key_t

    rs_pgo_unix_num_key_t, data type

    rs_policy

  • RS Editor RPC Interfaces

    rs_policy RPC interface

    rs_policy_get_effective

    rs_policy_get_effective(), overview

    rs_policy_get_info

    rs_policy_get_info(), overview

    rs_policy_get_info(), part of rs_login_get_info()

    rs_policy_set_info

    rs_policy_set_info(), may modify RS data

    rs_policy_set_info(), overview

    rs_prop_acct

    rs_prop_acct RPC interface

    rs_prop_acct_add

    rs_prop_acct_add(), overview

    rs_prop_acct_add_data_t

    rs_prop_acct_add_data_t, data type

    rs_prop_acct_add_key_version

    rs_prop_acct_add_key_version(), overview

    rs_prop_acct_delete

    rs_prop_acct_delete(), overview

    rs_prop_acct_key_data_t

    rs_prop_acct_key_data_t, data type

    rs_prop_acct_rename

    rs_prop_acct_rename(), overview

    rs_prop_acct_replace

    rs_prop_acct_replace(), overview

    rs_prop_acl

    rs_prop_acl RPC interface

    rs_prop_acl_data_t

    rs_prop_acl_data_t, data type

    rs_prop_acl_replace

    rs_prop_acl_replace(), overview

    rs_prop_attr

    rs_prop_attr RPC interface

    rs_prop_attr_data_t

    rs_prop_attr_data_t, data type

    rs_prop_attr_delete

    rs_prop_attr_delete(), overview

    rs_prop_attr_list_t

    rs_prop_attr_list_t, data type

    rs_prop_attr_sch_create_data_t

    rs_prop_attr_sch_create_data_t, data type

    rs_prop_attr_schema

    rs_prop_attr_schema RPC interface

    rs_prop_attr_schema_create

    rs_prop_attr_schema_create(), overview

    rs_prop_attr_schema_delete

    rs_prop_attr_schema_delete(), overview

    rs_prop_attr_schema_update

    rs_prop_attr_schema_update(), overview

    rs_prop_attr_update

    rs_prop_attr_update(), overview

    rs_prop_auth_plcy_set_info

    rs_prop_auth_plcy_set_info(), overview

    rs_prop_pgo

    rs_prop_pgo RPC interface

    rs_prop_pgo_add

    rs_prop_pgo_add(), overview

    rs_prop_pgo_add_data_t

    rs_prop_pgo_add_data_t, data type

    rs_prop_pgo_add_member

    rs_prop_pgo_add_member(), overview

    rs_prop_pgo_delete

    rs_prop_pgo_delete(), overview

    rs_prop_pgo_delete_member

    rs_prop_pgo_delete_member(), overview

    rs_prop_pgo_rename

    rs_prop_pgo_rename(), overview

    rs_prop_pgo_replace

    rs_prop_pgo_replace(), overview

    rs_prop_plcy

    rs_prop_plcy RPC interface

    rs_prop_plcy_set_dom_cache_info

    rs_prop_plcy_set_dom_cache_info(), overview

    rs_prop_plcy_set_info

    rs_prop_plcy_set_info(), overview

    rs_prop_properties_set_info

    rs_prop_properties_set_info(), overview

    rs_prop_replist

    rs_prop_replist RPC interface

    rs_prop_replist_add_replica

    rs_prop_replist_add_replica(), overview

    rs_prop_replist_del_replica

    rs_prop_replist_del_replica(), overview

    rs_properties_get_info

    rs_properties_get_info(), overview

    rs_properties_get_info(), part of rs_login_get_info()

    rs_properties_set_info

    rs_properties_set_info(), may modify RS data

    rs_properties_set_info(), overview

    rs_pwd_mgmt

    rs_pwd_mgmt RPC interface

    rs_pwd_mgmt_plcy_t

    rs_pwd_mgmt_plcy_t, data type

    rs_pwd_mgmt_setup

    rs_pwd_mgmt_setup(), overview

    rs_qry

    rs_qry RPC interface

    rs_query_are_you_there

    rs_query_are_you_there(), overview

    rs_rep_admin_become_master

    rs_rep_admin_become_master(), overview

    rs_rep_admin_become_slave

    rs_rep_admin_become_slave(), overview

    rs_rep_admin_change_master

    rs_rep_admin_change_master(), overview

    rs_rep_admin_destroy

    rs_rep_admin_destroy(), overview

    rs_rep_admin_info

    rs_rep_admin_info(), overview

    rs_rep_admin_info_full

    rs_rep_admin_info_full(), overview

    rs_rep_admin_init_replica

    rs_rep_admin_init_replica(), overview

    rs_rep_admin_maint

    rs_rep_admin_maint(), overview

    rs_rep_admin_mkey

    rs_rep_admin_mkey(), overview

    rs_rep_admin_stop

    rs_rep_admin_stop(), overview

    rs_rep_mgr_become_master

    rs_rep_mgr_become_master(), overview

    rs_rep_mgr_copy_all

    rs_rep_mgr_copy_all(), overview

    rs_rep_mgr_copy_propq

    rs_rep_mgr_copy_propq(), overview

    rs_rep_mgr_get_info_and_creds

    rs_rep_mgr_get_info_and_creds(), overview

    rs_rep_mgr_i_am_master

    rs_rep_mgr_i_am_master(), overview

    rs_rep_mgr_i_am_slave

    rs_rep_mgr_i_am_slave(), overview

    rs_rep_mgr_init

    rs_rep_mgr_init(), overview

    rs_rep_mgr_init_done

    rs_rep_mgr_init_done(), overview

    rs_rep_mgr_stop_until_compat_sw

    rs_rep_mgr_stop_until_compat_sw(), overview

    rs_repadm

    rs_repadm RPC interface

    rs_replica_auth_p_t

    rs_replica_auth_p_t, data type

    rs_replica_auth_t

    rs_replica_auth_t, data type

    rs_replica_comm_info_t

    rs_replica_comm_info_t, data type

    rs_replica_comm_t

    rs_replica_comm_t, data type

    rs_replica_info_t

    rs_replica_info_t, data type

    rs_replica_item_full_t

    rs_replica_item_full_t, data type

    rs_replica_item_p_t

    rs_replica_item_p_t, data type

    rs_replica_item_t

    rs_replica_item_t, data type

    rs_replica_master_info_p_t

    rs_replica_master_info_p_t, data type

    rs_replica_master_info_t

    rs_replica_master_info_t, data type

    rs_replica_name_p_t

    rs_replica_name_p_t, data type

    rs_replica_prop_info_t

    rs_replica_prop_info_t, data type

    rs_replica_prop_t

    rs_replica_prop_t, data type

    rs_replica_twr_vec_p_t

    rs_replica_twr_vec_p_t, data type

    rs_replist

    rs_replist RPC interface

    rs_replist_add_replica

    rs_replist_add_replica(), overview

    rs_replist_delete_replica

    rs_replist_delete_replica(), overview

    rs_replist_read

    rs_replist_read(), overview

    rs_replist_read_full

    rs_replist_read_full(), overview

    rs_replist_replace_replica

    rs_replist_replace_replica(), overview

    rs_repmgr

    rs_repmgr RPC interface

    rs_rpladmn

    rs_rpladmn RPC interface

    rs_sw_version_t

    rs_sw_version_t, data type

    rs_unix

    rs_unix RPC interface

    rs_unix_getmemberents

    rs_unix_getmemberents(), overview

    rs_unix_getpwents

    rs_unix_getpwents(), overview

    rs_unix_query_key_t

    rs_unix_query_key_t, data type

    rs_unix_query_t

    rs_unix_query_t, data type

    rs_update

    rs_update RPC interface

    rs_update_seqno_t

    rs_update_seqno_t, data type

    rs_wait_until_consistent

    rs_wait_until_consistent(), overview

    rsec_id_gen_name

    rsec_id_gen_name(), overview

    rsec_id_gen_name_cache

    rsec_id_gen_name_cache(), overview

    rsec_id_output_selector_t

    rsec_id_output_selector_t, data type

    rsec_id_parse_name

    rsec_id_parse_name(), overview

    rsec_id_parse_name_cache

    rsec_id_parse_name_cache(), overview

    rule-based policy

    rules for inheritance of ACLs,

    s

    S-boxes

    salt

    salt, in RS information

    salt, zero-length

    same cell, PTGS processing

    sample

    SCD

    scd RPC interface

    scd_protected_noop

    scd_protected_noop(), overview

    scenario

    schedule

    schema

    Schemas, Well-known Attributes

    scientific notation, in example

    scope

    scramble

    seal

    Seal, List of

    seals

    seat portability

    sec-junction

    sec-rgy_handle_t

    sec_acl

    sec_acl, enumeration of functions

    sec_acl, one-way authentication

    sec_acl_bind

    sec_acl_bind(), overview

    sec_acl_bind_to_addr

    sec_acl_bind_to_addr(), overview

    sec_acl_calc_mask

    sec_acl_calc_mask(), and POSIX

    sec_acl_calc_mask(), overview

    sec_acl_component_name_t

    sec_acl_component_name_t,

    sec_acl_entry_t,

    sec_acl_entry_type_t,

    sec_acl_get_access

    sec_acl_get_access(), overview

    sec_acl_get_error_info

    sec_acl_get_error_info(), overview

    sec_acl_get_manager_types

    sec_acl_get_manager_types(), overview

    sec_acl_get_mgr_types_semantics

    sec_acl_get_mgr_types_semantics(), overview

    sec_acl_get_printstring

    sec_acl_get_printstring(), overview

    sec_acl_list_t

    sec_acl_list_t,

    sec_acl_lookup

    sec_acl_lookup(), overview

    sec_acl_p_t

    sec_acl_p_t,

    sec_acl_perm_ bits,

    sec_acl_permset_t,

    sec_acl_posix_semantics_t

    sec_acl_posix_semantics_t,

    sec_acl_printstring_t,

    sec_acl_release

    sec_acl_release(), overview

    sec_acl_release_handle

    sec_acl_release_handle(), overview

    sec_acl_replace

    sec_acl_replace(), overview

    sec_acl_result_t

    sec_acl_result_t,

    sec_acl_t,

    sec_acl_test_access

    sec_acl_test_access(), overview

    sec_acl_test_access_on_behalf

    sec_acl_test_access_on_behalf(), overview

    sec_acl_tower_set_t

    sec_acl_tower_set_t,

    sec_acl_twr_ref_t

    sec_acl_twr_ref_t,

    sec_acl_type_t,

    sec_attr_acl_mgr_info_p_t, data type

    sec_attr_acl_mgr_info_set_t

    sec_attr_acl_mgr_info_set_t, data type

    sec_attr_acl_mgr_info_t

    sec_attr_acl_mgr_info_t, data type

    sec_attr_bind_auth_info_t

    sec_attr_bind_auth_info_t, data type

    sec_attr_bind_auth_info_type_t

    sec_attr_bind_auth_info_type_t, data type

    sec_attr_bind_info_t

    sec_attr_bind_info_t, data type

    sec_attr_bind_svrname

    sec_attr_bind_svrname, data type

    sec_attr_bind_type_t

    sec_attr_bind_type_t, data type

    sec_attr_binding_t

    sec_attr_binding_t, data type

    sec_attr_component_name_t

    sec_attr_component_name_t, data type

    sec_attr_enc_attr_set_t

    sec_attr_enc_attr_set_t, data type

    sec_attr_enc_bytes_t

    sec_attr_enc_bytes_t, data type

    sec_attr_enc_printstring_p_t

    sec_attr_enc_printstring_p_t, data type

    sec_attr_enc_str_array_t

    sec_attr_enc_str_array_t, data type

    sec_attr_encoding_t

    sec_attr_encoding_t, data type

    sec_attr_i18n_data_t

    sec_attr_i18n_data_t, data type

    sec_attr_intercell_action_t

    sec_attr_intercell_action_t, data type

    sec_attr_sch_entry_flags_t

    sec_attr_sch_entry_flags_t, data type

    sec_attr_schema_entry_parts_t

    sec_attr_schema_entry_parts_t, data type

    sec_attr_schema_entry_t

    sec_attr_schema_entry_t, data type

    sec_attr_t

    sec_attr_t, data type

    sec_attr_trig_type_flags_t

    sec_attr_trig_type_flags_t, data type

    sec_attr_twr_ref_t

    sec_attr_twr_ref_t, data type

    sec_attr_twr_set_p_t, data type

    sec_attr_twr_set_t

    sec_attr_twr_set_t, data type

    sec_attr_value_t

    sec_attr_value_t, data type

    sec_attr_vec_t

    sec_attr_vec_t, data type

    sec_bytes_t

    sec_bytes_t, data type

    sec_chksum_t

    sec_chksum_t, data type

    sec_chksum_type_t

    sec_chksum_type_t, data type

    sec_cred

    sec_cred_free_attr_cursor

    sec_cred_free_cursor

    sec_cred_free_pa_handle

    sec_cred_get_authz_session_info

    sec_cred_get_client_princ_name

    sec_cred_get_deleg_restrictions

    sec_cred_get_delegate

    sec_cred_get_delegation_type

    sec_cred_get_extended_attrs

    sec_cred_get_initiator

    sec_cred_get_opt_restrictions

    sec_cred_get_pa_data

    sec_cred_get_req_restrictions

    sec_cred_get_tgt_restrictions

    sec_cred_get_v1_pac

    sec_cred_initialize_attr_cursor

    sec_cred_initialize_cursor

    sec_cred_is_authenticated

    sec_encrypted_bytes_t

    sec_encrypted_bytes_t, data type

    sec_etype_t

    sec_etype_t, data type

    sec_id API

    sec_id_gen_group

    sec_id_gen_group(), overview

    sec_id_gen_name

    sec_id_gen_name(), overview

    sec_id_parse_group

    sec_id_parse_group(), overview

    sec_id_parse_name

    sec_id_parse_name(), overview

    sec_key_mgmt API

    sec_key_mgmt_change_key

    sec_key_mgmt_change_key(), overview

    sec_key_mgmt_delete_key

    sec_key_mgmt_delete_key(), overview

    sec_key_mgmt_delete_key_type

    sec_key_mgmt_delete_key_type(), overview

    sec_key_mgmt_free_key

    sec_key_mgmt_free_key(), overview

    sec_key_mgmt_garbage_collect

    sec_key_mgmt_garbage_collect(), overview

    sec_key_mgmt_gen_rand_key

    sec_key_mgmt_gen_rand_key(), overview

    sec_key_mgmt_get_key

    sec_key_mgmt_get_key(), overview

    sec_key_mgmt_get_next_key

    sec_key_mgmt_get_next_key(), overview

    sec_key_mgmt_get_next_kvno

    sec_key_mgmt_get_next_kvno(), overview

    sec_key_mgmt_initialize_cursor

    sec_key_mgmt_initialize_cursor(), overview

    sec_key_mgmt_manage_key

    sec_key_mgmt_manage_key(), overview

    sec_key_mgmt_release_cursor

    sec_key_mgmt_release_cursor(), overview

    sec_key_mgmt_set_key

    sec_key_mgmt_set_key(), overview

    sec_key_version_t

    sec_key_version_t, data type

    sec_login API

    sec_login API, used during login

    sec_login Extensions

    sec_login_become_delegate

    sec_login_become_delegate(), overview

    sec_login_become_impersonator

    sec_login_become_impersonator(), overview

    sec_login_become_initiator

    sec_login_become_initiator(), overview

    sec_login_certify_identity

    sec_login_certify_identity(), and process privilege

    sec_login_certify_identity(), overview

    sec_login_cred_get_delegate

    sec_login_cred_get_delegate(), overview

    sec_login_cred_get_initiator

    sec_login_cred_get_initiator(), overview

    sec_login_cred_init_cursor

    sec_login_cred_init_cursor(), overview

    sec_login_disable_delegation

    sec_login_disable_delegation(), overview

    sec_login_export_context

    sec_login_export_context(), overview

    sec_login_free_net_info

    sec_login_free_net_info(), overview

    sec_login_get_current_context

    sec_login_get_current_context(), overview

    sec_login_get_expiration

    sec_login_get_expiration(), overview

    sec_login_get_groups

    sec_login_get_groups(), overview

    sec_login_get_pwent

    sec_login_get_pwent(), overview

    sec_login_import_context

    sec_login_import_context(), overview

    sec_login_init_first

    sec_login_init_first(), overview

    sec_login_inquire_net_info

    sec_login_inquire_net_info(), overview

    sec_login_newgroups

    sec_login_newgroups(), overview

    sec_login_purge_context

    sec_login_purge_context(), overview

    sec_login_purge_context_exp

    sec_login_purge_context_exp(), overview

    sec_login_refresh_identity

    sec_login_refresh_identity(), overview

    sec_login_release_context

    sec_login_release_context(), overview

    sec_login_set_context

    sec_login_set_context(), overview

    sec_login_set_extended_attrs

    sec_login_set_extended_attrs(), overview

    sec_login_setup_first

    sec_login_setup_first(), overview

    sec_login_setup_identity

    sec_login_setup_identity(), overview

    sec_login_tkt_request_options

    sec_login_tkt_request_options(), overview

    sec_login_valid_and_cert_ident

    sec_login_valid_and_cert_ident(), overview

    sec_login_valid_and_cert_ident(), reason for being privileged

    sec_login_validate_first

    sec_login_validate_first(), overview

    sec_login_validate_identity

    sec_login_validate_identity(), overview

    sec_passwd_des_key_t

    sec_passwd_des_key_t, data type

    sec_passwd_rec_t

    sec_passwd_rec_t, data type

    sec_passwd_type_t

    sec_passwd_type_t, data type

    sec_passwd_version_t

    sec_passwd_version_t, data type

    sec_rgy_acct_add

    sec_rgy_acct_admin_flags_t

    sec_rgy_acct_admin_flags_t, data type

    sec_rgy_acct_admin_replace

    sec_rgy_acct_admin_t

    sec_rgy_acct_admin_t, data type

    sec_rgy_acct_auth_flags_t

    sec_rgy_acct_auth_flags_t, data type

    sec_rgy_acct_delete

    sec_rgy_acct_get_projlist

    sec_rgy_acct_key_t

    sec_rgy_acct_key_t, data type

    sec_rgy_acct_lookup

    sec_rgy_acct_passwd

    sec_rgy_acct_rename

    sec_rgy_acct_replace_all

    sec_rgy_acct_user_flags_t

    sec_rgy_acct_user_flags_t, data type

    sec_rgy_acct_user_replace

    sec_rgy_acct_user_t

    sec_rgy_acct_user_t, data type

    sec_rgy_attr_cursor_alloc

    sec_rgy_attr_cursor_init

    sec_rgy_attr_cursor_release

    sec_rgy_attr_cursor_reset

    sec_rgy_attr_delete

    sec_rgy_attr_get_effective

    sec_rgy_attr_lookup_by_id

    sec_rgy_attr_lookup_by_name

    sec_rgy_attr_lookup_no_expand

    sec_rgy_attr_sch_aclmgr_strings

    sec_rgy_attr_sch_create_entry

    sec_rgy_attr_sch_cursor_alloc

    sec_rgy_attr_sch_cursor_init

    sec_rgy_attr_sch_cursor_release

    sec_rgy_attr_sch_cursor_reset

    sec_rgy_attr_sch_delete_entry

    sec_rgy_attr_sch_get_acl_mgrs

    sec_rgy_attr_sch_lookup_by_id

    sec_rgy_attr_sch_lookup_by_name

    sec_rgy_attr_sch_scan

    sec_rgy_attr_sch_update_entry

    sec_rgy_attr_test_and_update

    sec_rgy_attr_update

    sec_rgy_auth_plcy_get_effective

    sec_rgy_auth_plcy_get_info

    sec_rgy_auth_plcy_set_info

    sec_rgy_bind

    sec_rgy_bind interface

    sec_rgy_cell_bind

    sec_rgy_cell_bind(), overview

    sec_rgy_cursor_reset

    sec_rgy_cursor_t

    sec_rgy_cursor_t, data type

    sec_rgy_domain_t

    sec_rgy_domain_t, data type

    sec_rgy_foreign_id_t

    sec_rgy_foreign_id_t, data type

    sec_rgy_handle_t

    sec_rgy_login_get_effective

    sec_rgy_login_get_info

    sec_rgy_login_name_t

    sec_rgy_login_name_t, data type

    sec_rgy_member_buf_t

    sec_rgy_member_buf_t, data type

    sec_rgy_member_t

    sec_rgy_member_t, data type

    sec_rgy_name_t, data type

    sec_rgy_name_t-Short

    sec_rgy_pgo_add

    sec_rgy_pgo_add_member

    sec_rgy_pgo_delete

    sec_rgy_pgo_delete_member

    sec_rgy_pgo_flags_t

    sec_rgy_pgo_flags_t, data type

    sec_rgy_pgo_get_by_eff_unix_num

    sec_rgy_pgo_get_by_id

    sec_rgy_pgo_get_by_name

    sec_rgy_pgo_get_by_unix_num

    sec_rgy_pgo_get_members

    sec_rgy_pgo_get_next

    sec_rgy_pgo_id_to_name

    sec_rgy_pgo_id_to_unix_num

    sec_rgy_pgo_is_member

    sec_rgy_pgo_item_t

    sec_rgy_pgo_item_t, data type

    sec_rgy_pgo_name_to_id

    sec_rgy_pgo_name_to_unix_num

    sec_rgy_pgo_rename

    sec_rgy_pgo_replace

    sec_rgy_pgo_unix_num_to_id

    sec_rgy_pgo_unix_num_to_name

    sec_rgy_plcy_auth_t

    sec_rgy_plcy_auth_t, data type

    sec_rgy_plcy_get_effective

    sec_rgy_plcy_get_info

    sec_rgy_plcy_pwd_flags_t

    sec_rgy_plcy_pwd_flags_t, data type

    sec_rgy_plcy_set_info

    sec_rgy_plcy_t

    sec_rgy_plcy_t, data type

    sec_rgy_pname_t

    sec_rgy_pname_t, data type

    sec_rgy_properties_flags_t

    sec_rgy_properties_flags_t, data type

    sec_rgy_properties_get_info

    sec_rgy_properties_set_info

    sec_rgy_properties_t

    sec_rgy_properties_t, data type

    sec_rgy_sid_t

    sec_rgy_sid_t, data type

    sec_rgy_site_bind

    sec_rgy_site_bind(), overview

    sec_rgy_site_bind_update

    sec_rgy_site_bind_update(), overview

    sec_rgy_site_binding_get_info

    sec_rgy_site_binding_get_info(), overview

    sec_rgy_site_close

    sec_rgy_site_close(), overview

    sec_rgy_site_get

    sec_rgy_site_is_readonly

    sec_rgy_site_is_readonly(), overview

    sec_rgy_site_open

    sec_rgy_site_open(), overview

    sec_rgy_site_open_query

    sec_rgy_site_open_update

    sec_rgy_site_open_update(), overview

    sec_rgy_unix_gecos_t

    sec_rgy_unix_gecos_t, data type

    sec_rgy_unix_getgrgid

    sec_rgy_unix_getgrnam

    sec_rgy_unix_getpwnam

    sec_rgy_unix_getpwuid

    sec_rgy_unix_group_t

    sec_rgy_unix_group_t, data type

    sec_rgy_unix_login_name_t

    sec_rgy_unix_login_name_t, data type

    sec_rgy_unix_passwd_buf_t

    sec_rgy_unix_passwd_buf_t, data type

    sec_rgy_unix_passwd_t

    sec_rgy_unix_passwd_t, data type

    sec_rgy_unix_sid_t

    sec_rgy_unix_sid_t, data type

    sec_rgy_wait_until_consistent

    sec_timeval_period_t

    sec_timeval_period_t, data type

    sec_timeval_sec_t

    sec_timeval_sec_t, data type

    sec_timeval_t

    secidmap

    secidmap RPC interface

    second

    secondary group UUID,

    secondary group, in account item

    secrecy

    secret

    secret,

    secret, role in building trust chain

    secret-key certificate

    secrets

    secure

    security

  • Part 2
  • DCE Security Replication and Propagation
  • Locate a Security Server
  • Protected RPC
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • Part 3
  • Miscellaneous Routines Needed for DCE Security

    security client daemon (SCD),

    security context

    security junction RPC group

    security services, introduction

    security, attribute

    security, based on time

    security, distributed

    security, generalities

    security, integration with naming services

    security, integration with RPC

    security, level provided by DES

    security, logical

    security, model

    security, of cross-cell authentication step

    security, of non-memorisable password

    security, of time source

    security, physical

    security, verifier (PDU)

    security, versus performance

    Security-Related

    Security-The

    Security-Version

    security-version UUID

    seed

    seed, DES

    seed, of CRC

    Selection/Substitution

    selector, in secidmap interface

    self, trust in

    semantic information, in ID map facility

    semantic representation (encoding)

    semantics of permission

    semantics, of permission

    Semi-Weak

    semi-weak keys,

    sends

    separator, in cell name

    sequence

    sequence number, checked by KDS server

    sequence number, data type

    sequence,

    sequence, and endianness

    SEQUENCE, denoting field element

    sequences

    server

    server cell, in TGS response

    server name, checked by KDS server

    server name, in TGS response

    server name, not a parameter in sec_acl

    server name, versus CDS-registered service name

    server, in CL context

    server, in KDS Error message

    server, in transit path

    server, readable/writable

    server, receives authentication header

    server, receives PA header

    server, receives PTGS request

    server, security

    server, targeted

    servers

    service

  • DCE Security Replication and Propagation
  • Glossary

    service name, RPC

    service request, failed

    service request/response

    service ticket,

    service,

    service, assured

    service, examples

    service, PTGS

    service, request/response

    service-ticket

    serviceability permission

    services

  • Part 2
  • Key Distribution (Authentication) Services
  • Fundamental Concepts
  • Privilege (Authorisation) Services
  • PAC-Based Privilege Service (PS)

    session

    session key

    session key,

    session key, distributed by KDS

    session key, generation

    session key, in AS response

    session key, in Kerberos protocol

    session key, in TGS response

    session key, use (authentication header flag)

    session,

    set

    set, ACLE permission

    sets

    shadow

    shadow password

    shape model, trusted

    shared state

    shell

    shift

    shift schedule

    short PGO name

    short-term key

    shortword,

    side

    signature

    signature,

    simple

    simple object,

    site

    site, synonymous with server

    skew

    skew,

    skew, in RS information

    slave

    slave RS server

    so

    some

    space character, prohibited in password

    space, in transit path

    special

    specific

    specification

    specificity, of ACLEs

    specified

    spoof

    standard

    start time

    start time, initialisation

    state

    state information, conceptual part of login context

    states

    static method, none for decomposing PGO names

    status

  • Privilege (Authorisation) Services
  • ACL Editor RPC Interface
  • RS Editor RPC Interfaces
  • ID Map Facility RPC Interface
  • Key Management Facility RPC Interface
  • Login Facility and Security Client Daemon (SCD) RPC Interface
  • Access Control List API
  • Registry API
  • ID Map API
  • Key Management API
  • Login API

    status code, ACL editor

    status code, in KDS Error message

    status code, in rpriv

    status code, key management

    status code, RS editor interfaces

    status code, scd interface

    status code, secidmap

    status text, in KDS Error message

    step

    storage, of data type as pickle

    strategy, next-hop

    strength

    strength of algorithm,

    string

    stringname

    stringname, guaranteed unique

    stringname, in PGO item

    stringname, name of PGO

    stringname, on server, identifies object

    stringname, printable (data type)

    strong

    stx_id

    stx_version

    sub_type

    subalgorithm

    subalgorithm, CADA

    subalgorithms

    subject

    subject,

    subject-side access information

    subjects

    subkey to halfblock mapping

    submapping

    subscript

    subtracting rights

    success, in received response

    supported

    surrogate

    surrogate cell principal

    suspicion, of PAC without authentication

    symbol

    symmetric trust peers

    synchronisation

    syntactic method, none for decomposing PGO names

    syntactic representation (encryption)

    syntax identifier

    syntaxes

    t

    T[]

    table

    tag UUID field

    target

    targeted server

    targeted ticket,

    taxonomy, of ACLE types

    TCB

    TCB,

    TCB, issuing cell

    technology, versus human issues

    terminology

    terminology,

    terminology, academic

    test permission

    TGS

  • Privilege (Authorisation) Services

    TGS request

    TGS request, client sends

    TGS request/response

    TGS response

    TGS response, construction

    TGS response, receiving

    TGS,

    TGS, request received

    TGS, request/response processingn

    TGS, response (data type)

    TGT

    the CRC,

    their

    theory, formal

    third

    third party, trusted

    Third-Party

    Third-Party, Client Protocol

    Third-Party, Protocol

    Third-Party, Server Protocol

    this

    threat analysis

    ticket

    ticket flag, data type

    ticket,

    ticket, and authenticator

    ticket, basis for denying service

    ticket, data type

    ticket, differences between types

    ticket, distributed by KDS

    ticket, effect when key is changed

    ticket, encrypted part

    ticket, genuineness of received

    ticket, granting service

    ticket, in AS response

    ticket, in Kerberos protocol

    ticket, in service request

    ticket, in TGS response

    ticket, interpretability

    ticket, Kerberos

    ticket, lifetime

    ticket, lifetime in registry property

    ticket, lifetime, in RS information

    ticket, manipulated old

    ticket, newly issued

    ticket, obtained from KDS at login

    ticket, privilege

    ticket, privilege-

    ticket, privilege- (data type)

    ticket, referral

    ticket, request

    ticket, request for new

    ticket, targeted

    ticket, ticket-granting

    ticket, timestamps in

    ticket-granting service (TGS),

    ticket-granting service,

    ticket-granting ticket

    tickets

    time

    time interval, data type

    time services

    time, basis for security

    time, end of

    time, start/expiration

    time, UTC

    time-out

    time-out, password

    timeliness

    timestamp, checked by KDS server

    timestamp, comparison and arithmetic

    timestamp, compromise of

    timestamp, data type

    timestamp, in KDS Error message

    timestamp, in Kerberos protocol

    timestamp, lifetime

    timestamp, microsecond

    timestamp, usage in Kerberos

    timestamps

    Timestamps, Protocol

    token

  • Glossary

    tolerance for malformed ACL

    tower, protocol

    traced

    Traced Delegation

    trademarks

    transaction, semantics not specified

    transferred trust

    transit

  • Glossary

    transit path,

    transit path, checked by KDS server

    transit path, data type

    transit path, empty

    transit path, in AS response

    transit path, in privilege ticket

    transit path, in RS information

    transit path, level of trust in

    transitive trust

    transmitting

    trigger

    Trigger Binding,

    triggers

    trigonometric

    trigonometric vector T[]

    trivial encryption

    trivial, encryption

    true session key

    trust

  • Glossary

    trust chain,

    trust chain, extend to multi-cell case

    trust chain, indirect

    trust chain, link

    trust chain, multi-hop

    trust,

    trust, and authentication flag

    trust, and cross-registration

    trust, evaluating the path

    trust, in transit path

    trust, in UUIDs

    trust, of login context

    trust, varies between cells

    trusted