The Glossary page contains definitions of key terms and phrases used throughout our documentation site. This resource aims to clarify terminology, making it easier for you to navigate and understand the content and features we offer.
An AAGUID (Authenticator Attestation GUID) is a unique identifier for a type or model of authenticator used in the WebAuthn and FIDO2 authentication frameworks thus allowing relying parties to recognize the capabilities and characteristics of the authenticator used during the registration and authentication processes.
An authenticator or identity device is a hardware or software component used to verify the identity of a user or device. In this document, the terms are used interchangeably.
Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients.
API stands for application programming interface, which is a set of definitions and protocols for building and integrating application software.
API keys are unique identifiers used to authenticate and control access to an application programming interface (API). They are typically long alphanumeric strings generated by the API provider and assigned to developers or applications that need to interact with the API.
AIA stands for "Authority Information Access," and within the framework of a Certificate Authority (CA), the AIA URL (Authority Information Access URL) denotes the specific location where supplementary details about the CA and its certificates can be accessed. The AIA URL is a critical component of the certificate validation process, as it enables clients (such as web browsers, applications, or other CAs) to retrieve essential information necessary for verifying the authenticity and reliability of a certificate.
CBA or Certificate-Based Authentication is a method of verifying the identity of a user, device, or service on a network using digital certificates issued and signed by a trusted certificate authority (CA).
A content signing certificate is used to digitally sign content, ensuring its integrity, authenticity, and non-repudiation. The purpose of using a content signing certificate is to provide a verifiable digital signature that assures recipients that the content has not been altered and that it indeed comes from the claimed sender.
The CRL (Certificate Revocation List URL) indicates the location where the Certificate Revocation List is published, and accessible to clients and applications. The CRL comprises digital certificates that have been revoked before their expiration dates, indicating they should no longer be trusted due to reasons like compromise or expiration. Included in the digital certificates issued by the CA, the CRL URL permits clients to periodically check for updates to the CRL, ensuring they acquire the most recent list of revoked certificates.
Crypto tokens in EJBCA refer to entities that manage cryptographic keys and perform cryptographic operations. These tokens can be software-based or hardware-based (such as Hardware Security Modules - HSMs). They are essential for operations like signing certificates, generating key pairs, and encrypting/decrypting data.
A DNS record, or Domain Name System record, is a database entry in the DNS (Domain Name System) that maps human-friendly domain names to various types of information. These records are essential for the functioning of the internet as they allow users to access websites using domain names (like example.com) instead of having to remember IP addresses (like 192.0.2.1)
Docker is a platform that enables developers to automate the deployment, scaling, and management of applications using containerization. Docker containers package an application and its dependencies together, providing a consistent environment across various stages of development, testing, and production.
Docker Compose is a tool for defining and running multi-container Docker applications. It uses a YAML file to configure the application's services, networks, and volumes, simplifying the orchestration of multiple containers.
Specific URLs provided by identity or service providers where authentication and authorization transactions are conducted.
Fast Identity Online (FIDO) Authentication is a set of open technical specifications that define user authentication mechanisms that reduce the reliance on passwords.
FIDO2 refers to the combination of the FIDO Alliance's specification for Client-to-Authenticator Protocols (CTAP) and the World Wide Web Consortium's (W3C) Web Authentication (WebAuthn) specification, which together enable users to authenticate to online services from both mobile and desktop environments using an on-device or external authenticator.
FIDO2 passkeys are cryptographic keys used in the Fast Identity Online 2 (FIDO2) authentication protocol. These keys can be either generated by a user's device or derived from biometric data. They serve as a secure means of verifying a user's identity during authentication processes, offering strong protection against various forms of cyber threats like phishing and password theft.
HMAC (Hash-based Message Authentication Code) Secret is a cryptographic mechanism used to ensure data integrity and authenticity. It is used to verify that a message has not been altered and to authenticate the identity of the sender.
A Hardware Security Module (HSM) is a physical device that provides secure storage and management of cryptographic keys and sensitive data. It's designed to safeguard cryptographic operations and protect sensitive information from unauthorized access and tampering.
An IdP (Identity Provider) is an entity that creates, maintains, and manages identity information and provides authentication services to relying parties.
JSON (JavaScript Object Notation) is a lightweight data format used for storing and exchanging data. It is easy for humans to read and write and easy for machines to parse and generate. JSON is commonly used in web applications to transmit data between a server and a client..
Key management refers to the processes, policies, and technologies used to generate, distribute, store, use, rotate, revoke, and retire cryptographic keys within a Certificate Authority (CA).
A "key algorithm" refers to the mathematical process or cryptographic technique used to generate cryptographic keys. Cryptographic keys are fundamental elements in cryptography used for encryption, decryption, digital signatures, and authentication. The most common are symmetric, asymmetric, and hash key algorithms.
The OCSP (Online Certificate Status Protocol) service provides a means to check the validity and status of digital certificates in real-time. The OCSP Service Default URI in EJBCA refers to the default Uniform Resource Identifier (URI) that clients use to access the OCSP service.
To abstain is to refuse to vote either for or against a motion. In the House of Commons and the House of Lords no official record is kept of those who choose to abstain when there is a division.
Structured information that describes, explains, or makes it easier to retrieve, use, or manage an information resource.
OpenID Connect is an authentication protocol based on OAuth 2.0 that allows clients to verify the identity of end-users by obtaining basic profile information.
PKI stands for Public Key Infrastructure. It is a system that manages digital certificates and public-private key pairs, facilitating secure communication and authentication over a network.
PKCS#12 (Public-Key Cryptography Standards #12) is a binary format for storing a bundle of cryptographic objects. It is used to store a private key along with its corresponding public key certificate and optionally, a chain of certificates that form a trust chain. The format is defined by RSA Security as part of the Public-Key Cryptography Standards (PKCS) series.
The term 'Push Verify' typically refers to a method of two-factor authentication (2FA) where a user receives a push notification on their mobile device to approve or deny a login attempt.
A Relying Party (RP) is an entity in an authentication system that relies on an authenticator or identity provider to verify the identity of a user.
RFC822 Name is an email address. This type of SAN is used to indicate that the certificate is also valid for a specific email address. It is formatted according to the syntax specified in RFC 822, which is an Internet standard for the format of email messages.
See also: Motions
RA stands for Registration Authority and is a crucial component in the Public Key Infrastructure (PKI) that acts as an intermediary between the end entities (such as users or devices) and the Certificate Authority (CA). The RA is responsible for various functions related to the identity verification and management of end entities before certificate issuance by the CA.
SAML (Security Assertion Markup Language) is an XML-based framework for exchanging authentication and authorization data between identity providers and service providers.
Subject Alternative Names (SAN) is an extension to X.509 that allows various values to be associated with a PKI certificate using a subjectAltName field. To represent a user identity, organizations include one or more Subject Alternative Name (SAN) entries in the X.509 certificate which identifies the person the certificate represents. The SAN fields in a certificate are in a standardized format so that the certificate consumer (browser, authentication applications, etc.) can easily determine the identity provided in the digital certificate.
An SMS Gateway enables a computer to send and receive SMS text messages to and from an SMS-capable device over the global telecommunications network (normally to a mobile phone). The SMS Gateway translates the message sent and makes it compatible for delivery over the network to be able to reach the recipient.
The Simple Mail Transfer Protocol (SMTP) is a technical standard for transmitting electronic mail (email) over a network. Like other networking protocols, SMTP allows computers and servers to exchange data regardless of their underlying hardware or software.
An SMTP server, also known as an outgoing mail server, is a computer or software that handles outgoing email messages. It is a system that gathers, handles, and delivers email.
Secure Socket Layer serves as a standard cryptographic protocol used for encrypting connections between two computers over the internet, ensuring the security of email transmissions.
Transport Layer Security (TLS) is a cryptographic protocol that provides communications security over a computer network. It is widely used for securing web traffic and ensuring the privacy and data integrity of the communications between two systems, typically a client and a server.
It is a string that uniquely identifies a particular resource. A URI can be a URL (Uniform Resource Locator) that specifies where the resource is located, or a URN (Uniform Resource Name) that names the resource without indicating where it is located. In the context of SAN, it can be used to specify that the certificate is valid for a particular web resource or other types of resources.
A User Principal Name is a user identifier in Active Directory (AD), typically in the format of an email address (e.g., user@domain.com). It uniquely identifies a user within the AD domain.
YAML, which stands for "YAML Ain't Markup Language," is a human-readable data serialization standard that can be used to write configuration files. It is designed to be easy to read and write, and it is commonly used for configuration files and data exchange between languages with different data structures.
Zero Trust is a security framework based on the principle of "never trust, always verify." Unlike traditional security models that assume trust within a network perimeter, Zero Trust enforces continuous authentication, strict access controls, and least privilege access for every user, device, and application - regardless of location.