Click on the letters below for faster navigation. To return to the top, hit the back button on your browser.
Access Control – The processes by which the decision is made to permit or deny the discovery and access of resources and enforce that decision. Access control limits the use of a resource to only those people, programs or devices specifically permitted to use the resource.
Access Control List (ACL) – A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.
Access Policy – Defines the rules for controlling access to resources that are subject to the scope of a particular access policy. An access policy scope is a specification of a type of information to be protected. Access policies are typically aligned with organizations responsible for particular functions, such as export control.
Accreditation – An administrative action by which a designated authority declares that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards.
Active Directory (AD) – An implementation of LDAP directory services by Microsoft for use primarily in Windows environments.
Aerospace and Defense (A&D) – A term referring to the industry which researches, designs, manufactures, operates and maintains vehicles moving through air and space.
Assertion – A statement from an Identity Provider to a Service Provider that contains identity information about a subscriber. Assertions may also contain verified attributes, may be digitally signed objects or they may be obtained from a trusted source by a secure protocol.
Assurance Level – A measure of trust or confidence in an authentication mechanism, represented in four levels: Level 1: LITTLE or NO confidence, Level 2: SOME confidence, Level 3: HIGH confidence and Level 4: VERY HIGH confidence.
Attribute – A claim of a named quality or characteristic inherent in or ascribed to someone or something.
Attribute Based Access Control (ABAC) – A policy model that allows for access control policy applicability and the associated rules that govern access, to be formulated based on an extensible notion of subject, resource, and other attributes.
Audit – Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.
Authentication – The process of establishing confidence in user identities.
Authorization – The process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. Usually, authorization is in the context of authentication. Once a subject is authenticated, it may be authorized to perform different types of access.
Business Authorization – Generically designates the contractual terms that collaboration partners must follow in order to comply with a particular policy. For example, particular instances of a Technical Assistance Agreement (TAA) or a Proprietary Information Exchange Agreement (PIEA) are examples of Business Authorizations. DLDAPE v1 defines a generic data model that can be used to precisely capture such business authorizations.
Business Authorization Framework (BAF) – A specification that provides a data and a process model for the capture of information protection policies in a consistent form that can subsequently be used to support the procedural and systemic enforcement of these policies. The BAF includes a set of interchanged formats allowing organizations to exchange digital policies in an interoperable manner.
Business Authorization Identification and Labeling Scheme (BAILS) – A specification that allows organizations to apply security labels on information objects to indicate to human users and systems all the information protection policies that need to be enforced. As part of this specification ILH v1 delivers bindings of logical labels to physical document formats such as office documents. Subsequent versions will add more bindings, such as PDF and CAD/CAM formats.
Certificate – A data object containing a subject identifier, a public key and other information that is digitally signed by a Certification Authority. Certificates convey trust in the relationship of the subject identifier to the public key.
Certificate Lookup Proxy (CLP) – An LDAP proxy that routes lookup requests for End-User Encryption Certificates from sending relying parties to recipients’ End-User Certificate Repository Services.
Certificate Policy (CP) – A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.
Certificate Revocation List (CRL) – A list of revoked public key certificates created and digitally signed by a Certification Authority.
Common Operating Rules (COR) – Identifies the operational rules and policies for identity federation participants. The rules leverage both existing standards and commercial best practices to ensure identity federation participants support a baseline set requirements.
Department of Defense (DoD) – U.S. federal department charged with coordinating and supervising all agencies and functions of the government relating directly to national security and the United States Armed Forces.
Digital Labeling of Documents and Access Policy Enforcement (DLDAPE) – A program within TSCP tasked with facilitating the adoption of the digital labeling of documents and associating access control policies based on these labels.
Diffie-Hellman Algorithm – A key agreement algorithm attributed to W. Diffie and M. Hellman (1976). The Diffie-Hellman algorithm is used by two parties in Transport Layer Security (TLS) and other protocols to arrive at a common session key and generate the actual symmetric encryption key or keys from it.
Digital Rights Management (DRM) – Access control technologies used to limit usage and access of digital media or devices.
Do it Yourself (DiY) – Step by step directions for setting up a lab environment.
Document Sharing Based on Identity Federation v.1 (DSIF v.1) – A program within TSCP tasked with facilitating the adoption of identity federation and collaboration via shared electronic documents.
Email Client – A computer program used to read and send email messages. Also known as a mail user agent (MUA).
Email Domain – A DNS domain whose name may be used after the ‘at’ sign in email addresses. Each member may register one or more Email Domains.
Email Gateway – See Inbound Email Gateway or Outbound Email Gateway.
Email Gateway TLS Certificate – An X.509v3 certificate used by Email Gateways to authenticate themselves in TLS-based secure communications. (Note that these certificates may be used in other protocols, for example, to establish security associations in IPSec VPNs.)
End-User Encryption Certificate – An X.509v3 certificate belonging to an email recipient used by senders to encrypt email messages sent to him or her.
End-User Encryption Certificate Repository Service (EUCRS) – An LDAP-accessible repository of End-User Encryption Certificates. May be implemented as a directory or as a filtering proxy forwarding requests to an actual directory.
End-User Signing Certificate – An X.509v3 certificate used by a sending user to digitally sign his or her email messages to other users.
Enterprise Certificate Lookup Proxy (ECLP) – An LDAP proxy running within a Member’s enterprise. This proxy is responsible for mediation between Email Clients, on the one hand, and another Member’s End-User Certificate Repository Service.
Ephemeral Diffie-Hellman – An implementation of the Diffie-Hellman key agreement algorithm in which the common parameters are generated on the fly rather than read from a certificate.
Federation Participant – Any organization in the role of a Service Provider or IDP operating under, or leveraging the common operating rules.
General Services Administration (GSA) – An independent agency of the United States government that helps manage and support the basic functioning of federal agencies. GSA policies promote management best practices and efficient government operations.
Identity Federation (IdF) – Allows members of one organization to use their credentials to access documentation maintained in a separate security domain by a partnering organization.
Identity Proofing – Validates the claimed identity by an individual; it is at the heart of any secure and authoritative process for the issuance and use of identity credentials. The process consists of collecting identity information from authoritative data sources (e.g., personal biographical data, biometrics) and determining the validity and association of the individual and their information.
Identity Proofing and Vetting (IPV) – Identifies the level of scrutiny used to issue a credential to the principal.
Identity Provider (IdP) – The identity source that authenticates a subject and provides an SP with an assertion vouching for that authentication.
Identity Vetting – A process to determine whether past behavior is a matter of concern for future reliability. Rigorous background investigations, establishing a history of identity and periodically reconfirming identity and reliability mitigates the risk of an adversary obtaining a valid credential.
Inbound Border Proxy – An LDAP proxy hosted by a Member’s enterprise that forwards End-User Encryption Certificate lookup requests to the actual directory containing those certificates.
Inbound Email – A component in the email flow responsible for receiving email messages from the senders’ enterprise, either directly or via a relay.
Intellectual Property Protection (IPP) – Laws that establish and maintain ownership rights to intellectual property. The principal forms of IP protection are patents, trademarks and copyrights.
Intellectual Property Rights (IPR) – The right to control and derive the benefits from writings (copyright), inventions (patents), processes (trade secrets) and identifiers (trademarks).
In-Source Enterprise – An enterprise (usually large) that maintains and manages its own IT infrastructure relevant to the Secure Email capability (directories, certificate authorities, proxies, etc.). See Out-Source Enterprise.
Just in Time Provisioning – The process of creating a shadow account at the SP corresponding to a user’s IDP credential in real time. As the user authenticates to an SP for the first time, a shadow account is created for the user.
Liberty Alliance – Collaborative community that establishes open standards, guidelines and best practices for federated identity management.
Mail Relay – An email proxy that mediates between two or more Mail Transfer Agents.
Mail Transfer Agent – A computer program that transfers electronic mail messages from one computer or enterprise to another.
Ministry of Defence (MoD) – Government department responsible for implementation of government defense policy.
National Institute of Standards and Technology (NIST) – A standards laboratory which is a non-regulatory agency of the United States Department of Commerce.
Organization – A legally established entity that can enter into a contractual relationship. Organizations have contractual relationships with one another and with individuals.
Organization-to-Organization Secure Email – All email messages sent by and to users (or end-point devices). The term organization-to-organization secure email describes clear-text email messages that need protection when transmitted between organizations over the Internet.
Out of Band Provisioning – The process of creating a shadow account at the Service Provider, corresponding to a user’s Identity Provider credential in which the shadow account creation is separated from the user’s first authentication. The Service Provider creates the shadow accounts, prior to the user authenticating with the Service Provider for the first time. The Identity Provider must provide a list of users to the Service Provider to support this function.
Outbound Border Proxy – An LDAP proxy deployed by an out-source enterprise Member within its enterprise to mediate between Email Clients, on the one hand, and an SMB Certificate Lookup Proxy, on the other.
Outbound Email Gateway – A component in the email flow responsible for sending email messages to the recipients’ enterprises, either directly or via relays.
Out-Source Enterprise – An enterprise outsourcing some or all elements of its IT infrastructure relevant to the Secure Email capability (directories, certificate authorities, proxies, etc.). See In-Source Enterprise.
Provisioning – The procedural preparation, system preparation, and distribution of the associated data that is required as a precursor to a service and/or associated device being accessed by a user.
Public Key Infrastructure (PKI) – An arrangement that binds public keys with respective user identities by means of a certificate authority.
Role Based Access Control (RBAC) – A model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.
RSA (Rivest, Shamir, Adleman) – A public key algorithm attributed to R. Rivest, A. Shamir and L. Adleman (1977). It derives its strength from difficulty of factoring large numbers.
Secure Email (SE v.1 and v.2) – A TSCP program tasked with facilitating the adoption of Secure Email based on the S/MIME standard.
Security Assertion Markup Language (SAML) – An XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee.
Shadow Account – An account required by a Service Provider application and mapped to one or more federated identities. A shadow account may be an LDAP/Active Directory account, contained in database tables or application specific user stores. A shadow account is not used for end user initial authentication.
Secure Hash Algorithm (SHA) – A Secure Hash Algorithm, also called SHA-1, given a text generates a 160-bit hash with a low probability of collisions. The algorithm is standardized by the FIPS PUB 180.
SMB Certificate Lookup Proxy – A Certificate Lookup Proxy servicing several out-source enterprises.
SMB Service Provider – An entity responsible for day-to-day operation, maintenance and management of an SMB Certificate Lookup Proxy. There may be multiple SMB Service Providers servicing different groups of outsource Enterprises.
Technical Profile – A set of rules and procedures an enterprise must follow to be eligible for participation in the International Aerospace and Defense Industry Secure Email Capability.
Transport Layer Security (TLS) – Cryptographic protocols that provide security for communications over networks such as the Internet. The Transport Layer Security protocol is defined in RFC 2246 [RFC2246], and supersedes version 3.0 of the Secure Socket Layer (SSL) protocol. Within TSCP documentation, TLS 1.0 implies support for SSL 3.0.
Transglobal Secure Collaboration Program (TSCP) – A cooperative forum in which leading A&D companies and key government agencies work together to establish and maintain an open standards-based framework that can be used to enable secure collaboration and assured information sharing between parties, irrespective of the tools they choose to use.
Trust Framework Provider (TFP) – Represents the organization(s) which deliver(s) day-to-day operation, maintenance and management of an Identity Federation. The Trusted Framework Provider support(s) an industry-wide registry of members, federation trust enablers, technical interoperability services and oversight for federation operating rules and governance.
Trusted Framework Provider Adoption Process (TFPAP) – A process whereby the U.S. Federal government can assess the efficacy of the Trust Frameworks for federal purposes so that an Agency online application or service can trust an electronic identity credential provided to it at a known level of assurance comparable to one of the four OMB Levels of Assurance.
Trust Topology – The worldwide PKI is a directed graph with key pairs as vertices and X.509 certificates as edges. A trust topology is a sub-graph of the worldwide PKI graph containing only those vertices and edges that are acceptable to a Member of this Capability. Hence, a trust topology is always a Member’s view of the PKI.
User-to-User Secure Email – Reflects that an email message is encrypted at one end (by the sender) and decrypted on the other (by the recipient); describes the transmission of encrypted email messages over insecure channels.
Web Services Federation (WS-Fed) – An XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).