rfc2828.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

      (C) Larger than a "bit", but smaller than a "word". Although
      "byte" almost always means "octet" today, bytes had other sizes
      (e.g., six bits, nine bits) in earlier computer architectures.

   $ CA
      See: certification authority.






Shirey                       Informational                     [Page 23]

RFC 2828               Internet Security Glossary               May 2000


   $ CA certificate
      (I) "A [digital] certificate for one CA issued by another CA."
      [X509]

      (C) That is, a digital certificate whose holder is able to issue
      digital certificates. A v3 X.509 public-key certificate may have a
      "basicConstraints" extension containing a "cA" value that
      specifically "indicates whether or not the public key may be used
      to verify certificate signatures."

   $ call back
      (I) An authentication technique for terminals that remotely access
      a computer via telephone lines. The host system disconnects the
      caller and then calls back on a telephone number that was
      previously authorized for that terminal.

   $ capability
      (I) A token, usually an unforgeable data value (sometimes called a
      "ticket") that gives the bearer or holder the right to access a
      system resource. Possession of the token is accepted by a system
      as proof that the holder has been authorized to access the
      resource named or indicated by the token. (See: access control
      list, credential, digital certificate.)

      (C) This concept can be implemented as a digital certificate.
      (See: attribute certificate.)

   $ CAPI
      See: cryptographic application programming interface.

   $ CAPSTONE chip
      (N) An integrated circuit (the Mykotronx, Inc. MYK-82) with a Type
      II cryptographic processor that implements SKIPJACK, KEA, DSA,
      SHA, and basic mathematical functions to support asymmetric
      cryptography, and includes the key escrow feature of the CLIPPER
      chip. (See: FORTEZZA card.)

   $ card
      See: cryptographic card, FORTEZZA card, payment card, PC card,
      smart card, token.

   $ card backup
      See: token backup.

   $ card copy
      See: token copy.





Shirey                       Informational                     [Page 24]

RFC 2828               Internet Security Glossary               May 2000


   $ card restore
      See: token restore.

   $ cardholder
      (I) An entity that has been issued a card.

      (O) SET usage: "The holder of a valid payment card account and
      user of software supporting electronic commerce." [SET2] A
      cardholder is issued a payment card by an issuer. SET ensures that
      in the cardholder's interactions with merchants, the payment card
      account information remains confidential. [SET1]

   $ cardholder certificate
      (O) SET usage: A digital certificate that is issued to a
      cardholder upon approval of the cardholder's issuing financial
      institution and that is transmitted to merchants with purchase
      requests and encrypted payment instructions, carrying assurance
      that the account number has been validated by the issuing
      financial institution and cannot be altered by a third party.
      [SET1]

   $ cardholder certification authority (CCA)
      (O) SET usage: A CA responsible for issuing digital certificates
      to cardholders and operated on behalf of a payment card brand, an
      issuer, or another party according to brand rules. A CCA maintains
      relationships with card issuers to allow for the verification of
      cardholder accounts. A CCA does not issue a CRL but does
      distribute CRLs issued by root CAs, brand CAs, geopolitical CAs,
      and payment gateway CAs. [SET2]

   $ CAST
      (N) A design procedure for symmetric encryption algorithms, and a
      resulting family of algorithms, invented by C.A. (Carlisle Adams)
      and S.T. (Stafford Tavares). [R2144, R2612]

   $ category
      (I) A grouping of sensitive information items to which a non-
      hierarchical restrictive security label is applied to increase
      protection of the data. (See: compartment.)

   $ CAW
      See: certification authority workstation.

   $ CBC
      See: cipher block chaining.

   $ CCA
      See: cardholder certification authority.



Shirey                       Informational                     [Page 25]

RFC 2828               Internet Security Glossary               May 2000


   $ CCITT
      (N) Acronym for French translation of International Telephone and
      Telegraph Consultative Committee. Now renamed ITU-T.

   $ CERT
      See: computer emergency response team.

   $ certificate
      (I) General English usage: A document that attests to the truth of
      something or the ownership of something.

      (C) Security usage: See: capability, digital certificate.

      (C) PKI usage: See: attribute certificate, public-key certificate.

   $ certificate authority
      (D) ISDs SHOULD NOT use this term because it looks like sloppy use
      of "certification authority", which is the term standardized by
      X.509.

   $ certificate chain
      (D) ISDs SHOULD NOT use this term because it duplicates the
      meaning of a standardized term. Instead, use "certification path".

   $ certificate chain validation
      (D) ISDs SHOULD NOT use this term because it duplicates the
      meaning of standardized terms and mixes concepts in a potentially
      misleading way. Instead, use "certificate validation" or "path
      validation", depending on what is meant. (See: validate vs.
      verify.)

   $ certificate creation
      (I) The act or process by which a CA sets the values of a digital
      certificate's data fields and signs it. (See: issue.)

   $ certificate expiration
      (I) The event that occurs when a certificate ceases to be valid
      because its assigned lifetime has been exceeded. (See: certificate
      revocation, validity period.)

   $ certificate extension
      See: extension.









Shirey                       Informational                     [Page 26]

RFC 2828               Internet Security Glossary               May 2000


   $ certificate holder
      (D) ISDs SHOULD NOT use this term as a synonym for the subject of
      a digital certificate because the term is potentially ambiguous.
      For example, the term could also refer to a system entity, such as
      a repository, that simply has possession of a copy of the
      certificate. (See: certificate owner.)

   $ certificate management
      (I) The functions that a CA may perform during the life cycle of a
      digital certificate, including the following:

       - Acquire and verify data items to bind into the certificate.
       - Encode and sign the certificate.
       - Store the certificate in a directory or repository.
       - Renew, rekey, and update the certificate.
       - Revoke the certificate and issue a CRL.

      (See: archive management, certificate management, key management,
      security architecture, token management.)

   $ certificate owner
      (D) ISDs SHOULD NOT use this term as a synonym for the subject of
      a digital certificate because the term is potentially ambiguous.
      For example, the term could also refer to a system entity, such as
      a corporation, that has acquired a certificate to operate some
      other entity, such as a Web server. (See: certificate holder.)

   $ certificate policy
      (I) "A named set of rules that indicates the applicability of a
      certificate to a particular community and/or class of application
      with common security requirements." [X509] (See: certification
      practice statement.)

      (C) A certificate policy can help a certificate user decide
      whether a certificate should be trusted in a particular
      application. "For example, a particular certificate policy might
      indicate applicability of a type of certificate for the
      authentication of electronic data interchange transactions for the
      trading goods within a given price range." [R2527]

      (C) A v3 X.509 public-key certificate may have a
      "certificatePolicies" extension that lists certificate policies,
      recognized by the issuing CA, that apply to the certificate and
      govern its use. Each policy is denoted by an object identifier and
      may optionally have certificate policy qualifiers.






Shirey                       Informational                     [Page 27]

RFC 2828               Internet Security Glossary               May 2000


      (C) SET usage: Every SET certificate specifies at least one
      certificate policy, that of the SET root CA. SET uses certificate
      policy qualifiers to point to the actual policy statement and to
      add qualifying policies to the root policy. (See: SET qualifier.)

   $ certificate policy qualifier
      (I) Information that pertains to a certificate policy and is
      included in a "certificatePolicies" extension in a v3 X.509
      public-key certificate.

   $ certificate reactivation
      (I) The act or process by which a digital certificate, which a CA
      has designated for revocation but not yet listed on a CRL, is
      returned to the valid state.

   $ certificate rekey
      (I) The act or process by which an existing public-key certificate
      has its public key value changed by issuing a new certificate with
      a different (usually new) public key. (See: certificate renewal,
      certificate update, rekey.)

      (C) For an X.509 public-key certificate, the essence of rekey is
      that the subject stays the same and a new public key is bound to
      that subject. Other changes are made, and the old certificate is
      revoked, only as required by the PKI and CPS in support of the
      rekey. If changes go beyond that, the process is a "certificate
      update".

      (O) MISSI usage: To rekey a MISSI X.509 public-key certificate
      means that the issuing authority creates a new certificate that is
      identical to the old one, except the new one has a new, different
      KEA key; or a new, different DSS key; or new, different KEA and
      DSS keys. The new certificate also has a different serial number
      and may have a different validity period. A new key creation date
      and maximum key lifetime period are assigned to each newly
      generated key. If a new KEA key is generated, that key is assigned
      a new KMID. The old certificate remains valid until it expires,
      but may not be further renewed, rekeyed, or updated.

   $ certificate renewal
      (I) The act or process by which the validity of the data binding
      asserted by an existing public-key certificate is extended in time
      by issuing a new certificate. (See: certificate rekey, certificate
      update.)

      (C) For an X.509 public-key certificate, this term means that the
      validity period is extended (and, of course, a new serial number
      is assigned) but the binding of the public key to the subject and



Shirey                       Informational                     [Page 28]

RFC 2828               Internet Security Glossary               May 2000


      to other data items stays the same. The other data items are
      changed, and the old certificate is revoked, only as required by
      the PKI and CPS to support the renewal. If changes go beyond that,
      the process is a "certificate rekey" or "certificate update".

   $ certificate request
      (D) ISDs SHOULD NOT use this term because it looks like imprecise
      use of a term standardized by PKCS #10 and used in PKIX. Instead,
      use the standard term, "certification request".

   $ certificate revocation
      (I) The event that occurs when a CA declares that a previously
      valid digital certificate issued by that CA has become invalid;
      usually stated with a revocation date.

      (C) In X.509, a revocation is announced to potential certificate
      users by issuing a CRL that mentions the certificate. Revocation
      and listing on