Algorithm. An algorithm is a mathematical function that is used to encrypt and decrypt information.

Auditor. In order to perform proper audits, the Auditor must be competent in the field of compliance audits and familiar with NFC policy. The Auditor may be either a private firm, or must provide an unbiased, indigent evaluation (i.e., an agency inspector general). The purpose of the audit is to verify that the certificate procedures are compliant with NFC policy.

Authentication. Authentication is a security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.

Access Certificate. Access certificates use Virtual Private Networks (VPN's). VPN's allow remote access to critical network applications and resources. A VPN is created by building channels from one point to another in an Internet Protocol (IP) network. A VPN is a secure communication. Access allows you to exchange information over internal and public networks with complete confidentiality, integrity, and strong authentication. Access is used for Internet remote access, internetworking (intranets), and communication with business partners (extranets).

Certification Authority (CA). The CA is an authority trusted by one or more users to issue and manage certificates. The CA is the security solution for conducting business on the Internet. The CA ensures that electronic transactions are conducted with confidentiality, data integrity, proper user authentication, and protection against repudiation. NFC serves as the CA for its customers.

Certificate Action Request (CAR) Form. The Form AD-1148 is a form completed by all Subscribers and submitted by the Local Registration Authority (LRA) to NFC for retention. The form must be signed by the Subscriber in the presence of either the LRA, Trusted Agent, or a Notary Public. (The appropriate copy(ies) of a picture ID is also sent to NFC with the original form. This form is sent to NFC at the same time as the Subscriber Agreement.)

Certificate Policy (CP). The CP is the administrative policy for certificate management. A CP addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a CP can also govern the transactions conducted using a communications system protected by a certificate-based system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provisions of the security services required by a particular application.

Certificate Practices Statement (CPS). A CPS is an internal statement of practices that a CA employs in issuing certificates. A CPS is expected to be a detailed and comprehensive technical and procedural document regarding the operation of the supporting infrastructure.

Certificate Revocation List (CRL). The CRL is the CA's listing of invalid certificates. Revocation can occur due to time lapse, employment change, theft of a private key, or other reasons.

Ciphertext. Ciphertext is information that has been encrypted into seemingly meaningless code.

Confidentiality. Confidentiality is the guarantee that data is not shared with unauthorized entities.

Cross Certification. Cross Certification is used to establish a trusted relationship between two CA's.

Desktop Encryption. Desktop Encryption is more secure than desktop passwords. It protects your computer with ciphertext. Ciphertext is information that has been encrypted into seemingly meaningless code. ICE is the Entrust desktop encryption product.

Digital Certificate. A Digital Certificate is a digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. A Digital Certificate is a data structure used in a public key system to bind a particular, authenticated individual to a particular public key.

Digital Signature. A digital signature is like a paper signature, but it is electronic. A digital signature cannot be forged. A digital signature provides verification to the recipient that the file came from the person who sent it, and it has not been altered since it was signed.

eAuthentication. eAuthentication sets the standard for identity proofing individuals and businesses, based on risk of online services used. The initiative focuses on meeting the authentication business needs of the eGov initiatives, building the necessary infrastructure to support common, unified processes and systems for government-wide use. This helps build trust that is an inherent part of every online exchange between citizens and the Government.

E-commerce. E-commerce is the use of network technology (especially the Internet) to buy or sell goods and services.

E-mail Certificate. An e-mail certificate is a certificate used to create encrypted e-mail. NFC offers e-mail certificates for Lotus Notes, Microsoft Eudora Pro, and Web-based e-mail.

Encryption. Encryption is the mathematical process of transforming plain text into a less readable form. The less readable form is called ciphertext. This ciphertext can be read by anyone who has the key that decrypts the ciphertext.

Entelligence Certificate. An Entrust Entelligence Certificate is a certificate that is loaded on the Subscriber's desktop. It provides an integrated solution to secure internal applications.

Enterprise Certificate. These certificates include secure e-mail, digital signatures and encryption for web applications, digital signatures and encryption for non-web applications, virtual private networks, and desktop security.

Enrollment Server For Web. The Entrust Enrollment Server for Web is a server that issues digital certificates to applications and devices.

Federal Bridge Certification Authority (FBCA). FBCA supports interoperability among Federal Agency PKI domains in a peer-to-peer fashion and acts as a facilitator between Federal agencies in reaching agreements on recognizing or cross-certifying each other's certificates.

Federal Identity Credentialing Committee (FICC). The FICC is responsible for certifying PKI service providers to operate under Federal Common Policy Framework and for managing the Shared Service Provider (SSP) program for PKI service providers.

Firewall. A firewall is a gateway that limits access between networks in accordance with the local security policy.

High Level Certificate. High level certificates are appropriate when threats to data are high, or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk. NFC is currently considering offering high level certificates, which will require smartcards, with future expansion of CA services.

Information Systems Security Officer (ISSO). The ISSO receives requests for certificates, processes the requests, and issues the certificates.


Interagency Agreement (IA). An IA is an agreement between NFC and a relying agency for NFC to provide PKI services for the agency.

LRA Agreement. Before becoming an LRA, an LRA Agreement (Form AD-1150) must be completed and signed. The original form must be sent to NFC for retention. It is recommended that a copy be kept at the agency level for agency records. The Agreement becomes effective on the date that the LRA Agreement is signed. An LRA must comply with all terms of the LRA Agreement in order to perform the duties of an LRA.

Medium Level Certificate. Medium level certificates provide a level of assurance relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial.

Operational Authority (OA) Security Officer. An OA Security Officer interfaces with the system and LRA's. OA Security Officers are employees of the Information Systems Policy Control Unit.

Operator. An Operator is responsible for the routine operation of the CA equipment and operations such as system backups and recovery or changing recording media.

Policy Authority (PA). The PA is an agent of the NFC CA. The PA is responsible for selecting and/or defining CP's, approving any cross-certification or interoperability agreements with external CA's, approving practices for the CA to follow by reviewing the CPS to make sure that it is in accordance with the CP, and providing policy direction to the OA. The PA has a committee to assist him/her in the PA role.

Private Key. A Private Key is (1) the key of a signature key pair used to create a digital signature or (2) the key of an encryption key pair used to decrypt confidential information. In both cases, this key must be kept secret.

Public Key. A Public Key is (1) the key of a signature key pair used to validate a digital signature or (2) the key of an encryption key pair used to encrypt confidential information. In both cases, this key is made publicly available.

Public Key Infrastructure (PKI). PKI is a set of policies, processes, server platforms, software, and workstations used to administer certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

Relying Party. The Relying Party is a person or agency who has received information that includes a certificate and a digital signature verifiable with reference to a public key listed in the certificate, and is in a position to rely on them. The Relying Party relies on the validity of the binding of the Subscriber's name to a public key. The Relying Party is responsible for deciding whether or how to check the validity of the certificate by checking the appropriate certificate status information. The Relying Party can use the certificate to verify the integrity of a digitally-signed message to identify the creator of the message, or to establish confidential communications with the holder of the certificate. A Relying Party may use information in the certificate to determine the suitability of the certificate for a particular use. The Relying Party is the owner of the application.

Roaming. Roaming is a method allowing users to access security services using their certificate but not being constrained to a specific PC, device, or location.

Roaming Profile Name. The Roaming Profile Name is usually the legal name of the Subscriber. The Subscriber determines his/her own Roaming Profile Name. Because this is unique to the Subscriber based on the Shared Secret, the Subscriber can use his/her real name without worry of duplicates.

Shared Secret. The Shared Secret is sent to the Subscriber by the CA after the LRA submits the request for a Subscriber's certificate. The Shared Secret is used in conjunction with a Subscriber-determined passphrase when using a certificate.

Subscriber. The Subscriber (1) is the subject named or identified in a certificate, (2) holds a private key that corresponds to the public key listed in the certificate, and (3) does not issue certificates to another party. This includes, but is not limited to, an individual or network device. The Subscriber's name appears as the subject in a certificate in accordance with Certificate Policy asserted in the certificate.

Subscriber Agreement. The Subscriber Agreement is an agreement signed by all Subscribers and witnessed by the LRA or Trusted Agent acknowledging that a user is requesting that the NFC CA issue the user a certificate and user agrees to the terms of the certificate. The LRA sends all original Subscriber Agreements to NFC for retention.

Trusted Agent. A Trusted Agent acts in the capacity of the LRA when the LRA is unavailable, such as in remote locations and foreign offices.

Virtual Private Network (VPN). A VPN only works between the client and NFC. It can work from Desktop to NFC or Desktop to other firewalls, but there must be a Checkpoint or IBM firewall. This is a secure connection. VPN is used for telecommuting with NFC. The Entrust product for VPN connectivity is Access.