OASIS Security Services TC: Glossary
draft-sstc-glossary-00.{doc,html,pdf}
Contributors (alphabetically):
Carlisle Adams, Entrust
Zahid Ahmed, CommerceOne
Marlena Erdos, Tivoli
Jeff Hodges, Oblix
(editor)
Maryann Hondo, IBM
Hal Lockhart, Entegrity
Prateek Mishra, Netegrity
RL “Bob” Morgan, University of Washington
Tim Moses, Entrust
David Orchard, Jamcracker
Darren Platt, Securant
Evan Prodromou, Outlook Technologies
Irving Reid, Balimore
This document is an OASIS-Draft and is (for the most part) in conformance with relevant OASIS SSTC document standards.
Send overall comments on this document to: security-services@lists.oasis-open.org, though this document, as of this update, been most actively discussed on the security-use@lists.oasis-open.org list and comments to that list about this document are just find, too.
The OASIS Security Services Technical Committee (SSTC) web pages and document repository are available here:
http://www.oasis-open.org/committees/security/
This document: draft-sstc-glossary-00.doc
draft-sstc-glossary-00.html
draft-sstc-glossary-00.pdf
Prior version of this document: draft-sstc-hodges-glossary-01.html
|
Date |
By Whom |
What |
|
21 Jan 2001 v00 |
Jeff Hodges |
Created. |
|
8 Feb 2001 v01 |
Jeff Hodges |
Added various terms supplied by Bob Blakley, and others culled from S2ML 0.8a doc. |
|
9 Feb 2001 v01 |
Jeff Hodges |
Cleaned up refs, added refs, added definitions, enhanced or otherwise mangled others. |
|
30 Mar 2001 v00 |
Jeff Hodges |
� Aligned terms with draft-sstc-use-domain-02 and discussion thereof in the security-use subgoup’s conference calls. � Aligned terms with usage in X.8xx/ISO-10181 series of docs. � Added commentary to various definitions where security-use needs to come to consensus and/or make decision(s) on refining said definitions. � Deleted various referenceable terms such as HTTP, LDAP, etc. � Renamed doc to draft-sstc-glossary-00. |
This document comprises an overall glossary for the OASIS Security Services Technical Committee (SSTC) and it’s subgroups. Individual SSTC documents and/or subgroup documents may either reference this document and/or “import” select subsets of terms.
The sources for the terms and definitions herein are referenced in Appendix A. Please refer to those sources for definitions of terms not explicitly defined here. Where possible and convenient, hypertext links directly to definitions within the aforementioned sources are included. Some definitions are quoted directly from the sources, some are modified to fit the context of the OASIS SSTC (aka SAML) effort.
Other SAML documents may either or both (a) include copies of definitions herein (define by value), (b) refer to this document and the applicable definitions (define by reference). In the case of (a), editors of those documents should work with the glossary editor in order to normalize the value(s) of the definitions.
Definitions that need to be added (i.e. the entry is presently blank), decisions made about, or otherwise enhanced are marked with a ?.
Definition senses and/or options – i.e. we need to decide which one(s) to base our usage on -- are denoted by “(a)”, “(b)”, and so on.
Definitions that’ve been specifically agreed to by the Use Case & Requirements (security-use@oasis-open.org) subgroup are denoted by reference to “[33]”.
Entries with a definition of “? (xxx)” means that at least the document editor suspects we need to condsider defining this term, and we haven’t yet discussed it and/or no-one’s taken a stab at defining it and/or we might actually not need to define it.
Editorial comments are highlighted like so. Some may also have comments attached at the end of the document.
Clarifications & Musings
It will arguably be reasonable to refer to a system implementing & using SAML as a “A”, “AA”, or “AAA” service – which one depending upon the functionality of the version of SAML being used, what the SSTC decides the functionality of the (potentially) various versions of SAML turn out to be, and so on. Looking ahead, may want to coin a phrase such as “a SAML-based AAA service”, and think about contracting that phrase into a shorter term.
Candidates for removal
These are term that the editor thought more folks than just himself ought to think about removing.
AAA Server - synonymous with a PDP?
Access Control Factors - synonymous with access control information?
Actor - synonymous with principal?
Authc - synonymous with authn?
Clearance - specific to Multilevel Security (MLS)
Label - specific to Multilevel Security (MLS)
Policy Decision - essentially synonymous with Access Control Decision.
Receiving Site - synonymous with Relying party.
|
“Authentication and Authorization”, or “Authentication, Authorization, and Accounting (or Auditing)” – each of the “A”s being a general class of security mechanism. These mechanisms are key building blocks for implementing security architectures and security services. |
|
|
See Asserting Party. |
|
|
An AAA system component whose users are typically administrators and whose function is mangement of various aspects of a AAA system deployment. |
|
|
A network service providing AAA or AA functionality. AAA services typically implement portions of security policies, and are implemented by security mechanisms. AAA services are essentially a subset of security services, but the terms are sometimes informally used synonymously. |
|
|
A system entity that is also an AAA system component whose function is to make policy decisions on behalf of requesters. It accepts and answers queries via some network protocol (TBD). It may or may not rely on information stored in a (external) repository, e.g. in a directory service, or a RDBMS, etc. [23] |
|
|
A set of AAA system components delivering a AAA service. |
|
|
? A system entity that is one of the identifiable components of embodiments of AAA systems. |
|
|
An instance of a deployed AAA system. An AAA System Deployment is typically hosted within, and delivers security services to, a given administrative domain, It also may be utilized to provide such services to other administrative domains. |
|
|
The ability and means to communicate with, or otherwise interact with, a system entity in order to manipulate, and/or use, and/or gain knowledge of, some (or all) of a system entity’s system resources. [4] |
|
|
1. Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized system entities (users, programs, processes, or other systems) according to that policy. [4] 2. The prevention of unauthorized access of a resource, including the prevention of use of a resource in an unauthorized manner. [9] |
|
|
? The decision arrived at as a result of evaluating the requester’s identity, the requested operation, and the requested resource in light of applicable security policy. (surprisingly enough, not explicitly defined in [10] ) |
|
|
A specialized function that makes access control decisions by applying access control policy rules [JDH1]to an access request, access control decision information (of initiators, targets, access requests, or that retained from prior decisions), and the context in which the access request is made [10]. |
|
|
The portion (possibly all) of the Access Control Information made available to the Access Decision Function in making a particular access control decision [10]. |
|
|
A specialized function that is part of the access path between an initiator and a target on each access request and enforces the decision made by the Access Control Decision Function [10]. |
|
|
Any information used for access control purposes, including contextual information [10]. |
|
|
A request, when being processed by a server, may be associated with a wide variety of security-related factors (e.g. section 4.2 of [17]). The server uses these factors to determine whether and how to process the request. These are called access control factors (ACFs). They might include source IP address, encryption strength, the type of operation being requested, time of day, etc. Some factors may be specific to the request itself, others may be associated with the connection via which the request is transmitted, others (e.g. time of day) may be "environmental". [25] |
|
|
The set of rules that define the conditions under which an access may take place [10]. |
|
|
? Security policy rules concerning the provision of the access control service [10]. |
|
|
? (haven’t been able to find a concise def for this with a modicum of looking) |
|
|
? (xxx) |
|
|
? (xxx) |
|
|
? (xxx) |
|
|
The operations and operands that form part of an attempted access of a system resource. An access request may be communicated between parties via a request. [10] |
|
|
? A role that an actor has donned when performing some operation, e.g. accessing a resource. |
|
|
? From [2]: A computational entity [i.e. system entity] utilizing security services. Examples of actors include application servers, application programs, security services (?), transport and message-level interceptors etc. Perhaps actor is effectively synonymous with system entity. |
|
|
An environment or context that is defined by some combination of administrative policies, Internet Domain Name registration(s), civil legal entity(ies) (e.g. individual(s), corporation(s), or other formally organized entity(ies)), plus a collection of hosts, network devices and the interconnecting networks (and possibly other traits), plus (often various) network services and applications running upon them. An Administrative Domain may contain or define one or more security domains. An administrative domain may encompass a single site or multiple sites. The traits defining an Administrative Domain may, and in many cases will, evolve over time. Administrative Domains may interact and enter into agreements for providing and/or consuming services across Administrative Domain boundaries. |
|
|
A person who installs, maintains, and/or makes use of the resources of a AAA System Deployment for system management and/or user management and/or content management purposes (as opposed to application purposes. See also End User). An administrator is typically affiliated with a particular administrative domain and may be affiliated with more than one administrative domain. See also deployer. |
|
|
The quality or state of being anonymous. |
|
|
The condition of having a name [or identity] that is unknown or concealed. [4] |
|
|
A software system run on a host that provides an execution environment for higher-level applications, for example business-oriented apps. |
|
|
(a) A piece of data constituting a declaration of identity or authorizations. See also: credential. ? (b) "Data that is transferred to establish the claimed identity of an entity." [9] |
|
|
? An issuer of assertions. |
|
|
An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. [4] |
|
|
A distinct characteristic of an object. An object’s attributes are said to describe the object. Objects’ attributes are often specified in terms of their physical traits, such as size, shape, weight, and color, address, phone number, etc., for real-world objects. Objects in cyberspace might have attributes describing size, type of encoding, network address, etc. Which attributes of an object are salient is decided by the beholder. Attributes are of various types, and are often represented by an attribute name along with one or more attribute values. See also Attribute Value Assertion, entry. [11] [17] |
|
|
? (a) A system entity that produces Attribute assertions, based upon TBD inputs. [33] (b) An authority which assigns privileges by issuing attribute certificates. [32] |
|
|
? An assertion about attributes of a principal. |
|
|
The human-palatable name associated with a particular attribute type. |
|
|
A data structure consisting of lists of attribute value assertions (aka name-value pairs). [12] |
|
|
An attribute type typically governs whether an attribute is single- or multi-valued, the syntax to which the values must conform, the kinds of matching which can be performed on values of that attribute, and other functions. [17] |
|
|
An attribute value is one or more pieces of data, encoded according to the syntax of the attribute’s type. [17] |
|
|
An Attribute Value Assertion is an assertion with the general abstract form of “attribute type IS attribute value”. [17] |
|
|
Independent review and examination of records and activities to determine compliance with established usage policies and to detect possible inadequacies in product technical security policies of their enforcement. [8] |
|
|
An identity attribute containing an identity used only for accountability purposes. [13] |
|
|
See Authentication |
|
|
See Authentication |
|
|
See Authorization |
|
|
? (a) To verify (i.e., establish the truth of) an identity claimed by or for a system entity. [4] [8] (b) “to authenticate” – the act of presenting one’s credentials in order to become authenticated. |
|
|
? (a) Authentication is the process of confirming a system entity’s asserted principal identity with a specified, or understood, level of confidence. [7] [33] (b) The process of verifying a principal identity claimed by or for a system entity. [12] [33] |
|
|
Data vouching for the occurrence of an authentication of a principal at a particular time using a particular authentication mechanism. Synonym(s): name assertion. |
|
|
A system entity that verifies credentials and produces authentication assertions. [33] |
|
|
? Examples.. � Simple username & password. � Kerberos � Client-side (and server-side) authn via the TLS/SSL “handshake protocol” during TLS/SSL session establishment. � Any SASL mechanism. JeffH hasn’t yet found a concise and referenceable def for this term. |
|
|
An identified computer-based entity implementing a security service (e.g. creation of assertions, credentials, PACs, and so on). [12] |
|
|
? The process of determining which types of activities are permitted. Usually, authorization is in the context of authentication. Once you have authenticated an entity, the entity may be authorized different types of access or activity. [8] <rough>The “act of authorization” is when an AEF acts upon information received from an ADF.</rough> The (act of) granting of access rights to a subject (for example, a user, or program). [12] |
|
|
? In concept, an authorization assertion is a statement of policy about a resource, such as: The user "noodles" is granted "execute" privileges on the resource "/usr/bin/guitar.” Should this be Authorization Decision? |
|
|
Attributes about a principal which may be useful in an authorization decision (group, role, title, contract code,...). [33] |
|
|
A data structure that contains Authentication Assertions and Authorization attributes. |
|
|
? An authorization identity is one kind of access control factor. It is the name of the user or other entity that requests that operations be performed. Access control policies are often expressed in terms of authorization identities; e.g., entity X can perform operation Y on resource Z. [25] The transmitted authorization identity may be different than the identity in the client's authentication credentials. This permits agents such as proxy servers to authenticate using their own credentials, yet request the access privileges of the identity for which they are proxying. [27] |
|
|
A system entity or actor is “authorized” if it is granted a right or a permission or a capability to access a system resource. See also authorization. |
|
|
A token that gives its holder the right to access a system resource. Possession of the token is accepted by the access control mechanism as proof that the holder has been authorized to access the resource named or indicated by the token. [12] |
|
|
Initiator-bound ACI that can be compared with security labels of targets [10]. |
|
|
A system entity that requests and uses a service provided by another system entity, called a "server". [4] |
|
|
? See Contextual Information. (we may actually want to use a much more general, commonplace definition of context – i.e. what we mean when we’re waving our hands and saying something like “that all depends upon the context”. This because contextual information is defined narrowly. |
|
|
Information about or derived from the context in which an access request is made (e.g. time of day). [10]. Effectively synonymous with access control factors. |
|
|
? Attributes, associated with a security object that, when matched against the privilege attributes of a security subject, are used to grant or deny access to the security object. [19] |
|
|
? (a) Data that is transferred or presented to establish either a claimed identity or the authorizations of a system entity. (See also: assertion, authentication information, capability, ticket.) [4] (b) Data that is transferred to establish a claimed principal identity. [9] [33] --- |
|
|
The response of an Access Control Decision Function to a decision request [12], using terminology from [10]. See also access control decision. |
|
|
The message an Access Control Enforcement Function sends to an Access Decision Function to ask it whether a particular access request should be granted or denied [12] , using terminology from [10]. |
|
|
An administrator in the act of, and/or (sometimes) primarily responsible for deploying a particular system or systems in an administrative domain’s network infrastructure. This may involve configuring the system or systems to interact with systems of other administrative domains. |
|
|
The time at which a system is actually configured, tested, and/or put to use, as opposed to its being in the vendor’s development pipeline or in transit between the vendor and a customer. See also site-specific. |
|
|
“DMZ” is from the military term for an area between two opponents where fighting is prevented. See also [6] and DMZ network. |
|
|
DMZ network is a commonly-used, equivalent term for (see also) perimeter network. |
|
|
An entity, usually a human individual, that makes use of resources for application purposes (as opposed to system management purposes. See Administrator). |
|
|
A host that an end user makes use of for general computational, application, and communication purposes. |
|
|
Various attributes and attribute values, mapped to a given end user. User attributes are stored in the profile, e.g. identifier(s), name(s), contact information, organizational information, computing infrastructure information, etc. Profiles are often implemented as directory entries. |
|
|
Typically the combination of: an End User, plus the End User’s computer, plus the browser running on that computer. End User system is (often? sometimes?) used, in place of the terms “client” or “user” because there are often many components that act as clients of other components, and which may not be directly and/or actively controlled by a user. |
|
|
? (a) A data structure containing Access Control Decision Information and/or access control policy rule information in a form usable by applications to, for example, customize their behavior based on access control policy or to make access control decisions in their own code [12] , using terminology from [10]. (b) a digitally signed XML assertion consisting of a “portable” package of authorization data created by an issuing authority concerning an authenticated subject. [2] |
|
|
See System Entity. |
|
|
See End User System. |
|
|
See End User System. |
|
|
Networks outside one’s administrative domain and (in typical usage of the term) with which one’s networks are connected. |
|
|
The part of a company or organization's computer network which is available to outside users, for example, information services for customers and/or suppliers. [14] See also extranet in [6]. |
|
|
A firewall is a device that gives an administrative domain a means to control how their internal network(s) interact with external networks. |
|
|
A commonly-used term referring to a security perimeter that is largely defined by the presence of one or more firewalls. |
|
|
A computer that is attached to a communication subnetwork or internetwork and can use services provided by the network to exchange data with other attached systems. A host is distinguished from other similarly connected and addressable devices on the network, e.g. routers, in that it doesn’t forward Internet Protocol packets that are not addressed to it. A host may be either an end user’s computer or a server. [8] |
|
|
A representation (e.g. a string) uniquely mapped to a system entity (e.g. an end user, an administrator, a host, or some process, or some network device). |
|
|
An entity (e.g. human user or computer-based entity) that attempts to access other entities [10]. |
|
|
? An entity which, after receiving an access request from an initiator, issues another access request on that initiator’s behalf [12]. This is a narrow definition of intermediary and is essentially the same a “proxy”. We need to carefully think about our use of this term and carefully define it and associated terms. |
|
|
See Intranet. |
|
|
A local area network which may or may not be connected to the Internet, but which has some similar functions. Some organizations set up World Wide Web servers on their own internal networks so employees have access to the organization's web documents. [14] See also intranet in [6]. |
|
|
? A system entity that issues stuff, e.g. an issuer of assertions. [2] |
|
|
A marking that is bound to a protected resource and that names or designates the security-relevant attributes of that resource (derived from [9]). |
|
|
The notion of controlling network access and usage, and consequently protecting hosts from attack, via network routing configuration and filtering, the use of firewalls and similar devices, or some combination thereof. See also [5]. |
|
|
For the purposes of this document, one of routers, bridges, repeaters, hubs, switches, etc. |
|
|
Work performed (or offered) by a server over a network. This may mean simply serving simple requests for data to be sent or stored (as with web servers); or it may be more complex work, such as that of print servers, distributed file servers, X Windows servers, AAA servers, or application servers. (definition largely from [6]) |
|
|
A configuration of network devices and hosts, and their interconnections. |
|
|
The action that an initiator’s access request asks to have performed on a protected resource [12]. |
|
|
The server on which a given resource resides or is to be created. [16] |
|
|
? The site where the origin server resides. |
|
|
= assertions [+ entitlements] + payload ? |
|
|
? An actor or actors (principal or principals) participating in some process or communication, such as accessing a resource. See also: access request, system entity, user. |
|
|
? A role that a resource effectively dons when it is the object of some operation. |
|
|
The essential data that is being carried within a packet or other transmission unit. The payload does not include the "overhead" data required to get the packet to its destination. Note that what constitutes the payload may depend on the point-of-view. To a communications layer that needs some of the overhead data to do its job, the payload is sometimes considered to include the part of the overhead data that this layer handles. However, in more general usage, the payload is the bits that get delivered to the end user (or whatever entity) at the destination. [26] |
|
|
A network between external networks and internal networks whose explicit role is to facilitate creation and management of additional layer(s) of security (as compared to not having a perimeter network). Also sometimes called a DMZ network. See also [5]. |
|
|
Network-based security applied at the perimeter of one’s security domain. See also [5]. |
|
|
? Concisely, a policy is a mapping of user credentialswith authority to act [8]. Policies are often essentially access control lists. [8] |
|
|
? essentially synonymous with Access Control Decision. |
|
|
? (a) A [system] entity that makes policy decisions for itself or for other system entities that request such decisions. [31] (b) Synonymous with Access Control Decision Function. [10] (c) Synonymous with AAA Server. --- 1. we use (a) “as is”, or, 2. we use (b) “as is” (this would mean moving the def for Access Control Decision Function to this location), or, 3. we use (c) “as is”, or, 4. we blend the three definitions together Selecting any of the above options involves deleting the entries for Access Control Decision Function and AAA Server from this doc, and updating all definitions using those terms to use the new terms. |
|
|
? (a) A [system] entity that [requests and subsequently] enforces policy decisions. [31] (b) Synonymous with Access Control Enforcement Function. [10] --- 1. we use (a) “as is”, or, 2. we use (b) “as is” (this would mean moving the def for Access Control Enforcement Function to this location), or, 3. we blend the two definitions together. Selecting any of the above options involves deleting the entry for Access Control Enforcement Function itself from this doc, and updating all definitions using those terms to use the new terms. |
|
|
? (a) AAA Service clients are sometimes called principals in order to distinguish them from clients of other services, and perhaps their own clients, if they are themselves servers. Note that a AAA service principal may be any form of system entity. [29] (b) An instantiation of a system entity within the security domain. [33] (c) An entity whose identity can be authenticated. [34] |
|
|
An attribute associated with an initiator that, when matched against control attributes of a protected resource is used to grant or deny access to that protected resource (derived from ECMA TR/46 definition). [19] |
|
|
A data structure containing privilege attributes. May be signed by the authority which generated it [12]. |
|
|
A target, access to which is restricted by an access control policy [12]. |
|
|
Web resources whose availability to requesters is being managed, i.e. protected, via some access control mechanism. |
|
|
(a) An entity authorized to act for another; (b) authority or power to act for another ; (c) a document giving such authority; [28] |
|
|
A computer process that relays a protocol between client and server computer systems, by appearing to the client to be the server and appearing to the server to be the client. [4] |
|
|
? (xxx) |
|
|
? (xxx) |
|
|
See Relying Party. |
|
|
? A site that receives, interprets, and acts according to security assertions. Essentially synonymous to relying party. |
|
|
? One who is making a decision contingent upon information or advice from another entity. E.g. an entity that is relying upon various security assertions about some other party(ies), made by yet another party(ies). |
|
|
? Synonymous in this document for System Resource. JeffH feel’s that we need to decide whether we use the term “resource” or “system resource” in this and other SAML docs. We need to choose one and use it consistently. |
|
|
As in “service requester”, or “requester of resources”. A system entity that is utilizing a protocol to request services from a service. Essentially functionally equivalent to the term client, but often used rather than “client” because many system entities simultaneously and/or serially act as both clients and servers. |
|
|
(a) In the computer system and networking sense: An expectation of loss expressed as the probability that a particular threat (or set of threats) will exploit a particular vulnerability (or set of vulnerabilities) with a particular harmful result(s). [8] (b) In general, the level of risk in a given context is inversely proportional to the level of trust the relationships within the context are accorded. [30] (c) More generally: possibility of loss or injury. [28] |
|
|
Risk analysis involves determining what you need to protect, what you need to protect it from, and how to protect it. It is the process of examining all of your risks, then ranking those risks by level of severity. For example, see the Risk Assessment section of Chapter 2 in [22]. |
|
|
? Dictionaries define a role as “a character or part played by a performer” or “a function or position.” Principals don various types of roles serially and/or simultaneously, e.g. active roles and passive roles. The notion of an Administrator is often an example of a role. |
|
|
To examine or observe with great care; inspect critically. [28] |
|
|
Security refers to a collection of safeguards that ensure the confidentiality of information, protect the system(s) or network(s) used to process it, and control access to it (them). Security typically encompasses the concepts/topics/themes of secrecy, confidentiality, integrity, and availability.It is intended to ensure that a system resists potentially correlated attacks. [7] |
|
|
A plan and set of principles for an administrative domain and its security domains that describe (a) the security services that a system is required to provide to meet the needs of its users, (b) the system elements required to implement the services, and (c) the performance levels required in the elements to deal with the threat environment. A complete system security architecture addresses administrative security, communication security, computer security, emanations security, personnel security, and physical security. It prescribes security policies for each. A complete security architecture needs to deal with both intentional, intelligent threats and accidental kinds of threats. A security architecture should explicitly evolve over time as an integral part of its administrative domain’s evolution. [4] |
|
|
? An assertion that is typically scrutinized in the context of a security policy. |
|