TSCP Glossary. Document Version: 2.04

TSCP

Glossary

Document Version: 2.04

Publish Date: 10 August 2012

Copyright © 2013 Transglobal Secure Collaboration Participation , Inc. All rights reserved.

Terms and Conditions

Transglobal Secure Collaboration Participation, Inc. (TSCP) is a consortium comprising a number of commercial and government members (as further specified at http://www.tscp.org) (each a “TSCP Member”). This specification was developed and is being released under this open source license by TSCP.

Use of this specification is subject to the disclaimers and limitations described below. By using this specification you (the user) agree to and accept the following terms and conditions:

1. This specification may not be modified in any way. In particular, no rights are granted to alter, transform, create derivative works from, or otherwise modify this specification. Redistribution and use of this specification, without modification, is permitted provided that the following conditions are met:

 Redistributions of this specification must retain the above copyright notice, this list of conditions, and all terms and conditions contained herein.

 Redistributions in conjunction with any product or service must reproduce the above copyright notice, this list of conditions, and all terms and conditions contained herein in the documentation and/or other materials provided with the distribution of the product or service.

 TSCP’s name may not be used to endorse or promote products or services derived from this specification without specific prior written permission.

2. The use of technology described in or implemented in accordance with this specification may be subject to regulatory controls under the laws and regulations of various jurisdictions. The user bears sole responsibility for the compliance of its products and/or services with any such laws and regulations and for obtaining any and all required authorizations, permits, or licenses for its products and/or services as a result of such laws or regulations.

3. THIS SPECIFICATION IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND. TSCP AND EACH TSCP MEMBER DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY, QUIET ENJOYMENT, ACCURACY, AND FITNESS FOR A PARTICULAR PURPOSE. NEITHER TSCP NOR ANY TSCP MEMBER WARRANTS (A) THAT THIS SPECIFICATION IS COMPLETE OR WITHOUT ERRORS, (B) THE SUITABILITY FOR USE IN ANY JURISDICTION OF ANY PRODUCT OR SERVICE WHOSE DESIGN IS BASED IN WHOLE OR IN PART ON THIS SPECIFICATION, OR (C) THE SUITABILITY OF ANY PRODUCT OR A SERVICE FOR CERTIFICATION UNDER ANY CERTIFICATION PROGRAM OF TSCP OR ANY THIRD PARTY.

4. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY CLAIM ARISING FROM OR RELATING TO THE USE OF THIS SPECIFICATION, INCLUDING, WITHOUT LIMITATION, A CLAIM THAT SUCH USE INFRINGES A THIRD PARTY’S INTELLECTUAL PROPERTY RIGHTS OR THAT IT FAILS TO COMPLY WITH APPLICABLE LAWS OR REGULATIONS. BY USE OF THIS

SPECIFICATION, THE USER WAIVES ANY SUCH CLAIM AGAINST TSCP OR ANY TSCP MEMBER RELATING TO THE USE OF THIS SPECIFICATION. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR RELATED TO ANY USER OF THIS SPECIFICATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

5. TSCP reserves the right to modify or amend this specification at any time, with or without notice to the user, and in its sole discretion. The user is solely responsible for determining whether this specification has been superseded by a later version or a different specification.

6. These terms and conditions will be interpreted and governed by the laws of the State of Delaware without regard to its conflict of laws and rules. Any party asserting any claims related to this specification irrevocably consents to the personal jurisdiction of the U.S. District Court for the District of Delaware and to any state court located in such district of the State of Delaware and waives any objections to the venue of such court.

T

ABLE OF

C

ONTENTS

P

... 1

1.

G

... 2

2.

Access Control List ... 2

Access Policy ... 2

Accreditation ... 2

Active Directory ... 2

Aerospace and Defense ... 2

Assertion ... 2

Assurance Level ... 2

Attribute ... 2

Attribute Based Access Control ... 2

Audit ... 2

Authentication ... 2

Authorization ... 2

Business Authorization Framework ... 3

Business Authorization Identification and Labeling Scheme ... 3

Business Authorization ... 3

Certificate ... 3

Certificate Lookup Proxy ... 3

Certificate Policy ... 3

Certificate Revocation List ... 3

Common Operating Rules ... 3

Department of Defense ... 3

Digital Labeling of Documents and Access Policy Enforcement ... 3

Diffie-Hellman Algorithm... 3

Digital Rights Management ... 3

Do it Yourself ... 3

Document Sharing Based on Identity Federation Version 1 ... 3

Email Client ... 4

Email Domain ... 4

Email Gateway ... 4

Email Gateway TLS Certificate ... 4

End-User Encryption Certificate ... 4

End-User Encryption Certificate Repository Service ... 4

End-User Signing Certificate ... 4

Enterprise Certificate Lookup Proxy ... 4

Ephemeral Diffie-Hellman ... 4

Federation Participant ... 4

General Services Administration ... 4

Identity Federation... 4

Identity Proofing and Vetting ... 4

Identity Provider ... 4

Identity Vetting ... 4

Inbound Border Proxy ... 4

Inbound Email Gateway ... 4

Intellectual Property Protection ... 5

Intellectual Property Rights ... 5

In-Source Enterprise ... 5

Just in Time Provisioning ... 5

Liberty Alliance ... 5

Mail Relay ... 5

Mail Transfer Agent ... 5

Ministry of Defence ... 5

National Institute of Standards and Technology ... 5

Organization ... 5

Organization-to-Organization Secure Email ... 5

Outbound Border Proxy ... 5

Outbound Email Gateway ... 5

Out-Source Enterprise ... 5

Provisioning ... 5

Public Key Infrastructure ... 5

Role Based Access Control ... 5

RSA (Rivest, Shamir, Adleman) ... 5

Secure Email Version 1 ... 5

Security Assertion Markup Language ... 6

Shadow Account ... 6

Secure Hash Algorithm ... 6

SMB Certificate Lookup Proxy ... 6

SMB Service Provider ... 6

Technical Profile... 6

Transport Layer Security ... 6

Transglobal Secure Collaboration Program ... 6

Trusted Framework Provider ... 6

Trusted Framework Provider Adoption Process... 6

Web Services Federation ... 6

Out of Band Provisioning ... 6

Trust Topology ... 7

User-to-User Secure Email ... 7

R

... 8

Purpose

1.

The TSCP Glossary is a comprehensive list of words, terms and acronyms that are used by TSCP project teams and programs and within TSCP documents and specifications. This document includes the preferred terminology used by the TSCP community and the standard definitions of those terms. The TSCP Glossary aggregates several earlier works, including project-specific glossaries that have been published separately or within other TSCP resources. A single glossary ensures that TSCP terms and their meanings and uses remain consistent across the community.

Glossary

2.

Term Acronym Definition

Access Control

The processes by which the decision is made to permit or deny the discovery and access of resources and enforce that decision. Access control limits the use of a resource to only those people, programs or devices specifically permitted to use the resource.

Access Control

List ACL

A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.

Access Policy

Defines the rules for controlling access to resources that are subject to the scope of a particular access policy. An access policy scope is a

specification of a type of information to be protected. Access policies are typically aligned with organizations responsible for particular functions, such as export control.

Accreditation An administrative action by which a designated authority declares that an _{information system is approved to operate in a particular security} configuration with a prescribed set of safeguards.

Active Directory _AD An implementation of LDAP directory services by Microsoft for use primarily in Windows environments.

Aerospace and

Defense A&D

A term referring to the industry which researches, designs, manufactures, operates and maintains vehicles moving through air and space.

Assertion

A statement from an Identity Provider to a Service Provider that contains identity information about a subscriber. Assertions may also contain verified attributes, may be digitally signed objects or they may be obtained from a trusted source by a secure protocol.

Assurance Level

A measure of trust or confidence in an authentication mechanism, represented in four levels: Level 1: LITTLE or NO confidence, Level 2: SOME confidence, Level 3: HIGH confidence and Level 4: VERY HIGH confidence.

Attribute A claim of a named quality or characteristic inherent in or ascribed to someone or something.

Attribute Based

Access Control ABAC

A policy model that allows for access control policy applicability and the associated rules that govern access, to be formulated based on an extensible notion of subject, resource, and other attributes.

Audit Independent review and examination of records and activities to assess the _{adequacy of system controls and ensure compliance with established} policies and operational procedures.

Authentication The process of establishing confidence in user identities.

Authorization

The process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. Usually, authorization is in the context of authentication. Once a subject is authenticated, it may be authorized to perform different types of access.

Term Acronym Definition

Business Authorization

Framework BAF

A specification that provides a data and a process model for the capture of information protection policies in a consistent form that can

subsequently be used to support the procedural and systemic

enforcement of these policies. The BAF includes a set of interchanged formats allowing organizations to exchange digital policies in an interoperable manner. Business Authorization Identification and Labeling Scheme BAILS

A specification that allows organizations to apply security labels on information objects to indicate to human users and systems all the information protection policies that need to be enforced. As part of this specification ILH v1 delivers bindings of logical labels to physical document formats such as office documents. Subsequent versions will add more bindings, such as PDF and CAD/CAM formats.

Business Authorization

Generically designates the contractual terms that collaboration partners must follow in order to comply with a particular policy. For example, particular instances of a Technical Assistance Agreement (TAA) or a Proprietary Information Exchange Agreement (PIEA) are examples of Business Authorizations. DLDAPE v1 defines a generic data model that can be used to precisely capture such business authorizations.

Certificate

A data object containing a subject identifier, a public key and other information that is digitally signed by a Certification Authority.

Certificates convey trust in the relationship of the subject identifier to the public key.

Certificate Lookup

Proxy CLP

An LDAP proxy that routes lookup requests for End-User Encryption Certificates from sending relying parties to recipients’ End-User Certificate Repository Services.

Certificate Policy _CP A named set of rules that indicates the applicability of a certificate to a _{particular community and/or class of application with common security} requirements.

Certificate

Revocation List CRL

A list of revoked public key certificates created and digitally signed by a Certification Authority.

Common

Operating Rules COR

Identifies the operational rules and policies for identity federation participants. The rules leverage both existing standards and commercial best practices to ensure identity federation participants support a baseline set requirements.

Department of

Defense DoD

U.S. federal department charged with coordinating and supervising all agencies and functions of the government relating directly to national security and the United States Armed Forces.

Digital Labeling of Documents and Access Policy Enforcement

DLDAPE

A program within TSCP tasked with facilitating the adoption of the digital labeling of documents and associating access control policies based on these labels.

Diffie-Hellman Algorithm

A key agreement algorithm attributed to W. Diffie and M. Hellman (1976). The Diffie-Hellman algorithm is used by two parties in Transport Layer Security (TLS) and other protocols to arrive at a common session key and generate the actual symmetric encryption key or keys from it. Digital Rights

Management DRM

Access control technologies used to limit usage and access of digital media or devices.

Do it Yourself _{DIY Step by step directions for setting up a lab environment.} Document Sharing

Based on Identity

Federation v.1 DSIF V1

A program within TSCP tasked with facilitating the adoption of identity federation and collaboration via shared electronic documents.

Term Acronym Definition

Email Client A computer program used to read and send email messages. Also

known as a mail user agent (MUA).

Email Domain A DNS domain whose name may be used after the ‘at’ sign in email

addresses. Each member may register one or more Email Domains.

Email Gateway See Inbound Email Gateway or Outbound Email Gateway.

Email Gateway TLS Certificate

An X.509v3 certificate used by Email Gateways to authenticate themselves in TLS-based secure communications. (Note that these certificates may be used in other protocols, for example, to establish security associations in IPSec VPNs.)

End-User Encryption Certificate

An X.509v3 certificate belonging to an email recipient used by senders to encrypt email messages sent to him or her.

End-User Encryption Certificate

Repository Service

EUCRS

An LDAP-accessible repository of End-User Encryption Certificates. May be implemented as a directory or as a filtering proxy forwarding requests to an actual directory.

End-User Signing Certificate

An X.509v3 certificate used by a sending user to digitally sign his or her email messages to other users.

Enterprise

Certificate Lookup

Proxy ECLP

An LDAP proxy running within a Member’s enterprise. This proxy is responsible for mediation between Email Clients, on the one hand, and another Member’s End-User Certificate Repository Service.

Ephemeral Diffie-Hellman

An implementation of the Diffie-Hellman key agreement algorithm in which the common parameters are generated on the fly rather than read from a certificate.

Federation Participant

Any organization in the role of a Service Provider or IDP operating under, or leveraging the common operating rules.

General Services

Administration GSA

An independent agency of the United States government that helps manage and support the basic functioning of federal agencies. GSA policies promote management best practices and efficient government operations.

Identity Federation _IdF Allows members of one organization to use their credentials to access _{documentation maintained in a separate security domain by a} partnering organization.

Identity Proofing

Validates the claimed identity by an individual; it is at the heart of any secure and authoritative process for the issuance and use of identity credentials. The process consists of collecting identity information from authoritative data sources (e.g., personal biographical data, biometrics) and determining the validity and association of the individual and their information.

Identity Proofing

and Vetting IPV

Identifies the level of scrutiny used to issue a credential to the principal.

Identity Provider _IdP The identity source that authenticates a subject and provides an SP with an assertion vouching for that authentication.

Identity Vetting

A process to determine whether past behavior is a matter of concern for future reliability. Rigorous background investigations, establishing a history of identity and periodically reconfirming identity and reliability mitigates the risk of an adversary obtaining a valid credential. Inbound Border

Proxy

An LDAP proxy hosted by a Member’s enterprise that forwards End-User Encryption Certificate lookup requests to the actual directory containing those certificates.

Term Acronym Definition

Gateway Intellectual Property

Protection IPP

Laws that establish and maintain ownership rights to intellectual property. The principal forms of IP protection are patents, trademarks and copyrights.

Intellectual

Property Rights IPR

The right to control and derive the benefits from writings (copyright), inventions (patents), processes (trade secrets) and identifiers (trademarks).

In-Source Enterprise

An enterprise (usually large) that maintains and manages its own IT infrastructure relevant to the Secure Email capability (directories, certificate authorities, proxies, etc.). See Out-Source Enterprise. Just in Time

Provisioning

The process of creating a shadow account at the SP corresponding to a user’s IDP credential in real time. As the user authenticates to an SP for the first time, a shadow account is created for the user.

Liberty Alliance Collaborative community that establishes open standards, guidelines and best practices for federated identity management.

Mail Relay An email proxy that mediates between two or more Mail Transfer

Agents. Mail Transfer

Agent

A computer program that transfers electronic mail messages from one computer or enterprise to another.

Ministry of

Defence MoD

Government department responsible for implementation of government defense policy.

National Institute of Standards and

Technology NIST

A standards laboratory which is a non-regulatory agency of the United States Department of Commerce.

Organization A legally established entity that can enter into a contractual relationship. _{Organizations have contractual relationships with one another and with} individuals.

Organization-to-Organization Secure Email

All email messages sent by and to users (or end-point devices). The term organization-to-organization secure email describes clear-text email messages that need protection when transmitted between organizations over the Internet.

Outbound Border Proxy

An LDAP proxy deployed by an out-source enterprise Member within its enterprise to mediate between Email Clients, on the one hand, and an SMB Certificate Lookup Proxy, on the other.

Outbound Email Gateway

A component in the email flow responsible for sending email messages to the recipients’ enterprises, either directly or via relays.

Out-Source Enterprise

An enterprise outsourcing some or all elements of its IT infrastructure relevant to the Secure Email capability (directories, certificate

authorities, proxies, etc.). See In-Source Enterprise.

Provisioning The procedural preparation, system preparation, and distribution of the _{associated data that is required as a precursor to a service and/or} associated device being accessed by a user.

Public Key

Infrastructure PKI

An arrangement that binds public keys with respective user identities by means of a certificate authority.

Role Based

Access Control RBAC

A model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.

RSA (Rivest,

Shamir, Adleman) RSA

A public key algorithm attributed to R. Rivest, A. Shamir and L. Adleman (1977). It derives its strength from difficulty of factoring large numbers.

Term Acronym Definition

Version 1 based on the S/MIME standard.

Security Assertion

Markup Language SAML

An XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee.

Shadow Account

An account required by a Service Provider application and mapped to one or more federated identities. A shadow account may be an LDAP/Active Directory account, contained in database tables or application specific user stores. A shadow account is not used for end user initial authentication.

Secure Hash

Algorithm SHA

A Secure Hash Algorithm, also called SHA-1, given a text generates a 160-bit hash with a low probability of collisions. The algorithm is standardized by the FIPS PUB 180.

SMB Certificate

Lookup Proxy A Certificate Lookup Proxy servicing several out-source enterprises. SMB Service

Provider

An entity responsible for day-to-day operation, maintenance and management of an SMB Certificate Lookup Proxy. There may be multiple SMB Service Providers servicing different groups of outsource Enterprises.

Technical Profile A set of rules and procedures an enterprise must follow to be eligible for _{participation in the International Aerospace and Defense Industry} Secure Email Capability.

Transport Layer

Security TLS

Cryptographic protocols that provide security for communications over networks such as the Internet. The Transport Layer Security protocol is defined in RFC 2246 [RFC2246], and supersedes version 3.0 of the Secure Socket Layer (SSL) protocol. Within TSCP documentation, TLS 1.0 implies support for SSL 3.0.

Transglobal Secure Collaboration Program

TSCP

A cooperative forum in which leading A&D companies and key

government agencies work together to establish and maintain an open standards-based framework that can be used to enable secure

collaboration and assured information sharing between parties, irrespective of the tools they choose to use.

Trusted Framework

Provider TFP

Represents the organization(s) which deliver(s) day-to-day operation, maintenance and management of an Identity Federation. The Trusted Framework Provider support(s) an industry-wide registry of members, federation trust enablers, technical interoperability services and oversight for federation operating rules and governance. Trusted

Framework Provider Adoption Process

TFPAP

A process whereby the U.S. Federal government can assess the efficacy of the Trust Frameworks for federal purposes so that an Agency online application or service can trust an electronic identity credential provided to it at a known level of assurance comparable to one of the four OMB Levels of Assurance.

Web Services

Federation WS-Fed

An XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).

Out of Band Provisioning

The process of creating a shadow account at the Service Provider, corresponding to a user’s Identity Provider credential in which the shadow account creation is separated from the user’s first

authentication. The Service Provider creates the shadow accounts, prior to the user authenticating with the Service Provider for the first time. The Identity Provider must provide a list of users to the Service Provider to support this function.

Term Acronym Definition

Trust Topology

The worldwide PKI is a directed graph with key pairs as vertices and X.509 certificates as edges. A trust topology is a sub-graph of the worldwide PKI graph containing only those vertices and edges that are acceptable to a Member of this Capability. Hence, a trust topology is always a Member’s view of the PKI.

User-to-User Secure Email

Reflects that an email message is encrypted at one end (by the sender) and decrypted on the other (by the recipient); describes the

References

3.

ICAM Lexicon Version 1.0, 09JUN2010