Authentication: A process used to verify identity.

Bilateral Trust: The fact that most business arrangements are based on formal and informal agreements that involve only two companies and that trust is limited to those companies or a subset of their employees.

Certificate: An electronic identifier from a certificate authority that includes a signature made by a CA with its private key. The authenticity of the signature is validated by other users who trust the CA's public key. Certificates also include the user's public key--relied on for data encryption or verifying the user's own signature.

Public CA (Certificate Authority): An entity that provides a way for two or more businesses to establish trust by virtue of the fact t hat they each trust a third party. That third party issues certificates to the businesses containing public keys. VeriSign is the best known U.S. example of a public CA.

CAPI (Crypto API): The industry's first major security API framework. Developers are already writing to CAPI to security-enable applications that will run on Microsoft platforms.

CDSA (Common Data Security Architecture): Intel's multi-API security framework for encryption and authentication. CDSA has also been accepted by a working group of The Open Group, and IBM, Intel and Netscape are working to refine it.

XUDA (Xcert Universal Database API): A securit y API set from Xcert that lets application developers tap both PKIX and SPKI/SDSI infrastructures.

SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure): The SPKI efforts of the IETF have been combined with SDSI, an approach outlined by MIT's Ron Rivest and Microsoft's Butler Lampson. The IETF draft creates Public Key Infrastructure (PKI), emphasizing authorizations rather than identities. It lets certificates be created that do not identify a person, but that indicate what that person is authorized to do on a network. SDSI/SPKI differs from the more developed and accepted PKIX (Public Key Infrastructure X.509) in specifying a highly distributed, client-focused trust model relying on delegated human-readable certificates. For example, a business might issue "salesperson" certificates to employees and those employees might issue "salesperson-customer" certificates to customers, and only those customers identified as customers associated with a salesperson will gai n entry. SDSI/SPKI also is more flexible than PKIX in letting end users define rules for processing certificates. It also rejects the complex ASN.1 syntax of X.509. Considerable control is put in the hands of end users, rather than relying on a centralized infrastructure for establishing identities. The infrastructure also puts an emphasis on short-lived, ephemeral certificates, reissued daily, for example, in lieu of extensive reliance on CRLs.

Distinguished Names: The idea within X.509 that a unique user name is married to each certificate, even though users may have multiple names on a network.

Key: The formula used by an encryption algorithm to change data to be unrecognizable.

Attribute: an extension of identification concepts that describes user permissions to engage in specific activities or to access network resources, i.e. to spend up to $500 or to access part of a database. In certain contexts a unique name identifier can also be used as an attribute.

Privilege-Based Attribute: A term used in this article to lump those certificate or database attributes otherwise known as capability, authority, policy, roles-based or access attributes. Privilege attributes go beyond identifying a person to describe specific rights they may exercise on or off the network--for example, a privilege attribute may limit a person's spending authority with a business partner, spell out read/write access to a database, or indicate which network resources may be accessed; it may also indicate rules or policies, such as time of day in which resources are accessible.

SESAME (Secure European System for Applications in a Distributed Multivendor Environment): A standard for certificate authorities that is supported by some of Europe's largest providers. SESAME supports privilege-based attributes.

Private-Key Encryption (symmetric): A method of encryption in which the same key is used to encrypt and decrypt. The process for delivering and updating these keys can become cumbersome with large networks. Kerberos is a popular private-key authentication approach used today with the Distributed Computing Environment (DCE).

Public-Key Encryption (asymmetric): A method of encryption that relies on the speed of symmetric private-key encryption to perform a special-purpose encryption of data. This data is then encrypted once again u sing the slower-speed symmetric public key of the user for whom it is destined. Authentication occurs when the recipient of data is able to decrypt that data using the sender's public key.

CRL (Certificate Revocation List): A listing of nonvalid user certificates that must be checked as part of every authentication or encryption process.

Cross-Certification: The process by which two CAs establish a trust relationship and issue certificates to one another.

Policy: The mapping of user credentials with the authority to act.

Digital Signature: The use of public-key cryptography to assure identity tied to data sent over a network. Digital signatures are created using a mathematical summary of the data to be sent (a hash), which is encrypted with the sender's private key and read by the recipient using the sender's public key. Digital signatures assure the integrity of the data and provide some support for nonrepudiation.

PGP (Pretty Good Privacy): PGP is an identity trust model that has been implemented (and is marketed by a company of the same name) in both a distributed and hierarchical fashion. It typically is distinguished from PKIX or SDSI/SPKI by the fact that it determines whether a certificate is valid (and not generated by an impostor) through a web of trust. Multiple parallel paths are examined and weighted to determine validity.

Application and Transport Layer Security: Application-layer security tends to be secure at all points in a network but either requires application security embedding or reliance on still-emerging APIs; network-layer securi ty encrypts node to node, but it can leave data in the clear while residing on a specific network node. End-to-end security is pro-vided through application-layer security, while transport-layer security is typi-cally point-to-point. IPsec and Secure Sockets Layer (SSL) are two important network transport-layer security standards.

IPsec (IP Security): An IETF encryption/connection authentication interoperability standard that supports both Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley) and Sun's Simple Key Management for IP (SKIP) key management schemes in IPv4; ISAKMP-Oakley is speci-fied for IPv6. Because IPsec is at the IP layer, it works with any TCP, UDP or Internet Control Message Protocol (ICMP) application without requiring an explicit interface as does SSL. SKIP is promoted for its multicast support.

Key Management: The process used to establish keys, encryption and authentication algorithms in preparation for communication. ISAKMP/Oakley a nd SKIP can be used for key management.