Macquarie University’s E-Learning Centre Of Excellence (MELCOE)
|ANSI||American National Standards Institute|
|ARIADNE||Alliance of Remote Instructional Authoring & Distribution Networks for Europe|
|COLIS||Collaborative Online Learning and Information Services|
|CQL||Common Query Language|
|DAM||Digital Assets Management|
|DOI||Digital Object Identifier|
|DRI||Digital Repositories Interoperability|
|DRM||Digital Rights Management|
|EML||Educational Modelling Language|
|GUID||Globally Unique Identifier|
|HEIP||Higher Education Innovation Program|
|IEEE||Institute of Electrical and Electronics Engineers|
|IMS||The IMS Global Learning Consortium. IMS is concerned with ‘standards for learning servers, learning content and the enterprise integration of these capabilities’. The name came originally from ‘Instructional Management Systems’. http://www.imsproject.org/|
|IIS&R||Interaction of IT Systems and Repositories|
|LCMS||Learning Content Management System|
|LDAP||Lightweight Directory Access Protocol|
|LMS||Learning Management System|
|LOX||Learning Object Exchange|
|LOM||IEEE Learning Object Meta-data|
|LOMS||Learning Object Management System|
|LMS||Learning Management System|
|NISO||National Information Standards Organization|
|OAI-PMH||Open Archive Initiative Protocol for Metadata Handling|
|ODRL||Open Digital Rights Language|
|OKI||The Open Knowledge Initiative. A collaboration among leading universities and specification and standards organizations to support innovative learning technology in higher education. http://www.okiproject.org|
|PAM||Pluggable Authentication Module or Presence & Availability Management|
|REL||Rights Expression Language|
|SCOs||Sharable Content Objects|
|SOAP||Simple Object Access Protocol|
|SCORM||Shareable Content Object Reference Model|
|SRU||Search/Retrieve URL - URL access mechanism|
|SRW||Search/Retrieve Web Service protocol|
|SSO||Single Sign On|
|UDDI||Universal Description, Discovery and Integration|
|XrML||Digital rights expression language by Content Guard|
|W3C||World Wide Web Consortium|
|Z39.50||A national and international standard (ISO 23950) defining a protocol for computer-to-computer information retrieval.|
Frequently-used MAMS terms
Limiting or granting access to a file system, Web site, or other digital environment, usually via some sort of authentication.
|Access Management System||The collection of systems and/or services associated with specific on-line resources and/or services that together derive the decision about whether to allow a given individual to gain access to those resources or make use of those services.|
|ACI||Access Control Instruction: Access control is the mechanism by which you define access. When the server receives a request, it uses the authentication information provided by the user in the bind operation, and the access control instructions (ACI’s) defined in the server to allow or deny access to directory information. The server can allow or deny permissions such as read, write, search, and compare. The permission level granted to a user may be dependent on the authentication information provided. (Definition taken from iPlanet Directory Server 4 documentation.)|
|ACL||Access Control List: A list of Access Control Instructions (ACI’s) constitutes an Access Control List.|
|Active Directory||Microsoft's directory service product for storing user identity information, attributes and access policy. Active Directory is built into the Window Server 2003 and the Windows 2000 Server operating systems.|
|Administrative Contact||The Administrative Contact serves as the primary registrar and administrator of the organization's InCommon federation participation. The Administrative Contact is responsible for registering and maintaining technical aspects of the organization's participation in InCommon, including Credential Provider and/or Resource Provider information, metadata and Technical Contact information. The Administrative Contact is assigned and verified by the Executive Liaison.|
|Applicant||Role which initiates applications.|
|Approval||Within the context of management document descriptions, refers to the authorisation by the appropriate management entity to proceed with work described by a proposal or plan, or adopt a defined management process.|
|ARP - Attribute release policies||rules that an AA follows when deciding whether or not to release an attribute and its value(s)|
|Assertion||When an Identity Provider authenticates a user and directs them back to the referring Service Provider, it includes as part of the message an assertion to prove that the user authenticated.
See also Identity Provider, Service Provider.
|Assertion||The identity information provided by a Credential Provider to a Resource Provider.|
|Assisted Password Reset||An assisted password reset is a password reset (reset) accomplished by interaction between the user and a support analyst, typically over a telephone. Assisted password resets are similar to self-service password resets (self-service-reset), but with the intervention of a support analyst.|
|Assisted takeup||A JISC project to support the work of the JISC core middleware programme. See http://www.jisc.ac.uk/index.cfm?name=funding_middlewareservice
See also Early adopters, JISC.
|The Athens service was developed by Eduserv to provide single sign-on access to a collection of online information services. See http://www.athensams.net/.
See also Single Sign-On.
|Attribute||A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name, phone number, group affiliation, etc.|
|Attribute Assertion||A mechanism for associating specific attributes with a user.|
|Attribute Authority (AA)||The service that asserts the requester's attributes by creating an attribute assertion and then signing it. The sites must be able to validate this signature.|
|Attribute Authority subject DN||The distinguished name of the Attribute Authority.|
|Attribute Authority URL||The Internet address of the Attribute Authority.|
|Attribution||Assigning credit to the creator of an original work when the work is referenced, copied, distributed or performed.|
|Audit||An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.|
|Audit Trail||A list of all recorded activity, which resources are being accessed, when and by whom and what actions are being performed. Audit trails are one of the requirements of system accountability, enabling any system action or event to be traced back to the user responsible for it. Audit trails are also used to investigate cyber crimes. They are indispensable for incident response and the follow-up aspect of digital forensics. The audit trail enables the person investigating the incident to follow the trail that was left.|
|Authentication (authN)||A process used by a system to uniquely identify a user. Most systems authenticate users by asking them to type a secret password. Other forms of authentication include: 1) Using hardware tokens 2) Using a PKI certificate 3) Using a smart card 4) Providing a biometric sample (fingerprint, voice print, etc.) 5) Answering personal questions. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.|
|Authentication (authN)||Authentication in this context is the process of determining a user's identity, usually by verifying a supplied username and password combination.
Single-Sign on systems provide a means where authentication information can be shared between services, preventing a user from having to authenticate themselves multiple times.
See also Authorisation, Single Sign-On.
|Authentication (authN)||AuthN: Authentication is the process of establishing whether or not a real-world subject is who or what its identifier says it is. Identity can be proven by: Something you know, like a password; Something you have, as with smart-cards, challenge-response mechanisms, or public-key certificates; Something you are, as with positive photo identification, fingerprints, and biometrics. (For more on this topic, see Internet-2 Middleware Authentication website <http://middleware.internet2.edu/core/authentication.html>.)
AuthN protocols such as Kerberos v5, Secure Sockets Layer (SSL), NTLM, and digest authentication protect the authN process and prevent the interception of credentials.
|Authentication (authN)||Establishing the individual identity of a user, or determining that the user has certain attributes or is a member of a specified group.|
|Authentication (authN)||The process by which a person verifies or confirms their association with an electronic identifier. For example, entering a password that is associated with an UserID or account name. A security measure designed to establish the validity of a transmission, message, or originator, also a means of verifying an individual's authorization to receive specific categories of information.|
|Authentication Devices||Devices used by organizations to verify the identities of users requesting access to information and applications. Authentication devices include: Fingerprint, Face, Voice, Signature, Password/PIN, Smart Card/Swipe Card, and Token.|
|Authentication Token||A portable security device used for authenticating a user.
Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords. These require complementary software or hardware. Smart cards, smart card readers, USB tokens, and touch memory devices are a few examples.
|Authorisation (authZ)||Authorisation in this context is the process of determining a user's right to access a resource.
Authorisation almost always relies on the user having been authenticated.
|Authorisation (authZ)||AuthZ: based on the identity of a person, and the accompanying attributes or characteristics, allowing/denying access to resources. The determination that a request can be honoured is known as authorization. (For more on this topic, see Internet-2 Middleware Authorization website <http://middleware.internet2.edu/core/authorization.html>.)
The process of evaluating whether an authenticated entity is authorised to do something to a particular resource under a defined set of circumstances.
The process of resolving a user's entitlements with the permissions configured on a resource in order to control access.
|Authorisation (authZ)||Establishing what an individual is permitted to do.|
|Authorisation (authZ)||The process of giving individuals access to system objects based on their confirmed Identity.|
|Authorisation (authZ)||The process or determining a specific person's eligibility to gain access to an application or function, or to make use of a resource. A right or permission that is granted to access a system resource.|
|Billing Contact||The Billing Contact is responsible for executing and maintaining all of the organization's financial transactions associated with their InCommon federation participation, including communication with the Executive Liaison, Administrative Contact and federation accounting staff.|
|Biometric Authentication||Biometric authentication is any process that validates the identity of a user who wishes to sign into a system by measuring some intrinsic characteristic of that user. Biometric samples include fingerprints, retina scans, face recognition, voiceprints, and even typing patterns. Biometric authentication depends on measurement of some unique attribute of the user. They presume that these user characteristics are unique, that they may not be recorded and reproductions provided later, and that the sampling device is tamper-proof.|
|Biometrics||Generally, the study of measurable biological characteristics. In computer security, biometrics refers to authentication techniques that rely on measurable physical characteristics that can be automatically checked. There are several types of biometric identification schemes: Face: the analysis of facial characteristics; Fingerprint: the analysis of an individual's unique fingerprints; Hand geometry: the analysis of the shape of the hand and the length of the fingers; Retina: the analysis of the capillary vessels located at the back of the eye; Iris: the analysis of the colored ring that surrounds the eye's pupil; Signature: the analysis of the way a person signs his name; Vein: the analysis of pattern of veins in the back if the hand and the wrist; Voice: the analysis of the tone, pitch, cadence, and frequency of a person's voice.|
|Blackboard||The Blackboard learning system is a Virtual Learning Environment (VLE) providing content-management and student/teacher interaction.
The IAMSECT project has plans to set up a Blackboard service as a Shibboleth Service Provider.
|CA - Certificate Authority||A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption.|
|Carnegie Classification||The Carnegie Classification of Institutions of Higher Education is a taxonomy of U.S. higher education institutions. The 2000 Carnegie Classification includes all colleges and universities in the United States that are degree-granting and accredited by an agency recognized by the U.S. Secretary of Education. The 2000 edition classifies institutions based on their degree-granting activities from 1995-96 through 1997-98. http://www.carnegiefoundation.org/Classification/CIHE2000/defNotes/Definitions.htm|
|Certificate||A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.|
|Cluster||Clusters, by definition, are interconnected whole computers that cooperate to solve a problem. But behind the definition, clusters are fairly static and homogeneous creations. The number of nodes in a cluster might grow or shrink over time, but the intent of the cluster rarely changes (and if it does, it's usually with a significant amount of re-architecting). For example, a cluster assembled for purposes of weather forecasting or for geopetrol exploration will have software installed for those applications only. The individual users of the cluster may change over time, but typically even as users turn over, the applications they run on the cluster remain similar to those run by previous users. The types of data that cluster users manipulate are typically chosen during the creation of the cluster.
Second, clusters are usually homogeneous, both in function and hardware. With the possible exception of the cluster manager, the purpose of the nodes in a cluster is to solve the same kind of problem. Therefore, the nodes of a cluster are usually machines with similar architectures and operating systems. They also have, in general, a uniform set of software libraries and applications. Finally, for ease of administration and access, clusters are generally in one physical location.
|Confidentiality||Ensuring that a resource may only be used by its intended recipient.|
|Contact/Contactless||When used in conjunction with chip cards: whether the card is read by direct contact with a reader or has a transmitter/receiver system which allows it to be read using radio frequency technology (up to a certain distance).|
|Content Repository||A secure storage facility that is capable of handling a wide variety of content types, and enabling access to authorized users.|
|Copyright||Rights granted to an original work under applicable copyright law (in the U.S. by the 1976 Copyright Act and other relevant law).|
|CP - Certificate Policy||A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. http://www.ietf.org/rfc/rfc3647.txt|
|CP - Credential Provider||A campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants.|
|CPS - Certification Practice Statement||A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. http://www.ietf.org/rfc/rfc3647.txt|
|Credential||An object that is verified when presented to the verifier in an authentication transaction. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authorization. Electronic credentials can be digital documents used in authentication and access control that bind an identity or an attribute to a claimant's token or some other property, such as a current network address. Credentials are verified when presented to the verifier in an authentication transaction. Anonymous credentials are used to evaluate an attribute when authentication need not be associated with a known personal identity.|
|CSR- Certificate Signing Request||A digital file which contains a user's name and public key. The user sends the CSR to a Certificate Authority (CA) to be converted into a certificate.|
|Deactivation||Deactivation is the process of disabling a user's accounts, so that the user can no longer authenticate to those systems or access their resources or functions. Deactivation does not necessarily imply that the accounts are deleted -- simply that they are made inoperative.|
|Delegated User Administration||As the number of accounts in a system grows, central user administration becomes impractical. Delegated user administration is a feature found in some systems to enable designated users to create new users and manage existing users in just a segment of the user directory.|
|Derivative Work||A new work that is created by altering, transforming or building upon another work.|
|Digital Asset Security||Technologies for ensuring that digital assets are used only as authorized, particularly when they are delivered outside the company firewall.|
|Digital Certificate||In the PKI environment, the data, equivalent to an identity card, issued to a user by a CA (Certificate Authority), which he/she uses during business transactions to prove his/her identity.|
|Digital Signature||A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.|
|Digital Signature||The number derived by performing cryptographic operations on the text to be signed. This operation, or hash function (also called hash algorithm), is performed on the binary code of the text. The result is known as the message digest, and always has a fixed length. A signature algorithm is applied to the message digest, resulting in the digital signature.|
|Digital Signature||A digital signature provides information about the source of a digital object, and allows the receiver to determine if the object has been altered in transit.|
|Directory||A directory is a specialized database that may contain information about an institution’s membership, groups, roles, devices, systems, services, locations, and other resources.|
|Directory||A collection of accounts managed by a single system. Directories may be internal to a system (e.g., the SAM database in a Windows NT domain), or may be shared by multiple systems (e.g., an LDAP directory).|
|Directory||A directory is a specialized database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations, and other resources.|
|Directory Cleanup||Manual system administration over an extended period of time tends to leave orphan accounts (see orphans). Directory cleanup is a process used to identify orphans, and deactivate their accounts. Some user provisioning systems incorporate tools for directory cleanup, including identification of orphans based on last login time/date, or based on user ID reconciliation (reconciliation), and including batch deactivation of access.|
|Directory Migration||Mergers, divestitures, and software changes periodically necessitate that large numbers of user accounts be moved from one system to another in a short period of time. User provisioning systems may provide tools to assist in such migrations: to list and characterize users on one system, and to automatically create batches of users on another system.|
|Directory Services||Services that provide identity, demographic and authorization information on a user.|
|Directory Synchronization||A directory synchronization process compares users, user groups, and user attributes as they are defined on two or more systems. It applies business logic to detected differences, and automatically updates the users, user groups, and/or user attributes on at least one system to match those found on others.|
|Disabled Account||An account is disabled in the event that some administrator or user provisioning process, presumably with suitable authorization, actively set a flag to prevent further logins to that account. Most systems differentiate between locked and disabled accounts.|
|DMCA||Digital Millennium Copyright Act.|
|DN - Distinguished Name||Distinguished names are string representations that uniquely identify users, systems, and organizations. In general, DNs are used in LDAP-compliant directories. In certificate management systems, DNs are used to identify the owner of a certificate and the authority that issued the certificate.|
|DNS - Domain Name Service||An Internet service that translates domain names to and from IP addresses.|
|Domain Name||A domain name is that portion of an Internet Uniform Resource Locator (URL) that fully identifies the server program that an Internet request is addressed to. InCommonFederation.org is an example of a domain name.|
|DREL||Digital Rights Expression Language|
|DRM||Digital Rights Management|
|DRM - Digital Rights Management||The process of defining, tracking and enforcing permissions and conditions for digital content through digital means.|
|Early adopters||A JISC project for early adopters of Shibboleth Technology. See http://www.jisc.ac.uk/index.cfm?name=funding.
See also Assisted takeup, JISC.
|eBook||A book in digital format that you can download to your computer and read using a software program. Depending on the specific format, the eBook can be read on a computer, PDA, or dedicated reader device with the proper software.|
|ebXML||XML for electronic business: it enables businesses to find each other electronically and conduct business through the exchange of XML-based business messages.
Java API: JAXM (JSR 67) with ebXML message service profile; JAXR (JSR 93) registry/repository; CPP/CPA (JSR 157)
|eduOrg||An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduOrg object class focuses on the attributes of organizations. Current documentation on the eduOrg object class is available at http://www.educause.edu/eduperson/.|
|eduPerson||An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.educause.edu/eduperson/.|
|EL - Executive Liaison||The Executive Liaison serves as the main contact for the federation participant organization, and is responsible for approving the application, ensuring that agreements are signed by a person with proper signature authority, and annual agreement renewals. The Executive Liaison is also responsible for assigning the Administrative Contact and Billing Contact for the federation participant and keeping contact information current. The Executive Liaison is ultimately responsible for payment of fees and serves as a backup if the Administrative Contact is not available. The Executive Liaison role will typically be filled by a CIO, VP of IT, or other senior administrative officer responsible for the organization's information technology assets. For Internet2 University Members this role is initially filled by their Internet2 Executive Liaison. For organizations that are not an Internet2 University Member or a sub-group of an Internet2 University Member, this role must be filled by the CFO of the organization. The EL is responsible for ensuring that the person who signs the InCommon Participant Agreement and other required documents has the authority to sign such documents on behalf of their organization. A different InCommon Executive Liaison, who will assume all responsibilities of the Executive Liaison, may be designated after the application process is complete.|
|Electronic Identifier||A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a a campus NetID, an employee or student ID, or a PKI certificate.|
|Electronic Identity||A set of information that is maintained about an individual, typically in campus electronic identity databases. May include roles and privileges as well as personal information. The information must be authoritative to the applications for which it will be used.|
|Electronic Identity Credential||An electronic identifier and corresponding personal secret associated with an electronic identity. An electronic identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.|
|Electronic Identity Database||A structured collection of information pertaining to given individuals. Sometimes referred to as an "enterprise directory". Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database, for example LDAP or a set of linked relational databases.|
|Encryption||The process of encoding information so it cannot be accessed without first being decrypted through the use of an encryption key.|
|Encryption||The scrambling of data so that it becomes difficult to unscramble or decipher. Scrambled data is called ciphertext, as opposed to unscrambled data, which is called plaintext. Unscrambling ciphertext is called decryption. Data encryption is done by the use of an algorithm and a key. The key is used by the algorithm to scramble and unscramble the data. The algorithm can be public (for inspection and analysis by the cryptographic community), but the key must be kept private. Encryption does not make unauthorized decryption impossible, but merely difficult. Time, and the power (ever increasing) of computers are the factors involved in the feasibility of decryption.|
|Enrollment||The initial process of collecting biometric data from a user and then storing it in a template for later comparison.|
|Enterprise directory||An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution. See the "Middleware Business Case" http://middleware.internet2.edu/earlyadopters/draft-internet2-ea-mw-business-case-00.pdf for a thorough discussion of the values provided by enterprise directory services.|
|Enterprise directory||An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution.|
|Enterprise directory infrastructure||The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service.|
|Enterprise directory infrastructure||The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service.|
|ETL||Tools handling data Extraction, Loading, and Transformation are called ETL tools. These tools are common in the data warehousing industry, but are not yet commonplace in the directory/identity management industry. While directory industry metadirectory products and directory integration products such as IBM Directory Integrator (formerly Metamerge Integrator) may be able to address this need, most institutions make use of Perl scripting.|
|Executive Committee (ExCom)||The Executive Committee (ExCom) of InCommon is responsible for the governance and management of the InCommon Federation.|
|Fair Dealing||The term used in place of Fair Use in many parts of the world.|
|Fair Use||Under US law, Section 107 of the Copyright act allows reproduction and use of a work for the purposes of research, teaching and reporting, subject to restrictions.|
|Federated Identity||The management of identity information between members of a federation.|
|Federation||A Federation is a organisation composed of institutions which agree on a common set of principles in order to share information.
Federations form the core of the Federated trust principle which Shibboleth is designed to use.
See also Shibboleth.
|Federation||A special kind of trust relationship established beyond internal network boundaries between distinct organizations.|
|Federation||A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.|
|FICE||A 6-digit identification code for educational institutions, originally created by the Federal Interagency Committee on Education. The code is still used when reporting enrollment and other information to IPEDS. The code will be asked for in the registration process for InCommon.|
|Fingerprinting||The process of extracting information about content to create a fingerprint for later matching and metadata retrieval. These work for audio and visual content, not so well for textual.|
|FOPP - Federation Operation Policies and Practices||The policies and practices the Federation operates under on a day-to-day basis. This document describes the activities of the Federation organization, the process of Participants applying and being accepted, etc., and how decisions are made.|
|GGF||OGSI is being standardized through the efforts of the Global Grid Forum (GGF), which is a community-initiated forum of researchers and practitioners working on distributed computing and grid technologies. GGF's primary objective is to promote and support the development, deployment, and implementation of grid technologies and applications via the creation and documentation of "best practices"--technical specifications, user experiences, and implementation guidelines.|
|Global User ID||A global User ID is an identifier that uniquely identifies a user in an organization. It may or may not be used as the user ID on any one system, but is guaranteed to be unique (i.e., no two users may share the same Global User ID).|
|Grid||Grids can be thought of as clusters without the pre-conceived limitations. Grids, like clusters, are interconnected whole systems that cooperate in solving problems. However, a grid can be thought of as a cluster that forms dynamically in response to requirements based on computing power and data sharing (with its associated authorization issues), without regard for the physical location where the computing power is generated, where the data is coming from, or on what kind of platform it is available. Imagine, in essence, having the ability to carve the necessary computing resources out of the universe of computing resources available to solve a specific problem, for whatever duration is required. A grid allows the dynamic, on-demand assembly of the different types of computing resources necessary to solve a particular problem. These computing resources usually belong to separate organizations whose members are interested in the solution of a given problem. This is the thinking that fostered the grid concept. The premise of grids is to share computing resources and data in a dynamic way on an unprecedented scale.|
|GUID||Globally Unique Identifier. A guid is a unique identifier intended to identify a single person for the entire period of their intersection with an institution’s electronic services. The guid is intended to function as the primary key for an individual within an institution’s enterprise directory, serving as a permanent link between all identifiers for an individual. Guid’s may be assigned according to an algorithm or constructed from source system identifiers. Guid’s should not be changed, reassigned, or retired. (The term "global" in this context means "within an institution", not across all institutions.) [See Addendum 4.5.2 – Why Social Security Number (or Any Government identifier) Is NOT A Good Guid and Early Harvest: Identifiers, Authentication, and Directories: Best Practices for Higher Education <http://middleware.internet2.edu/docs/internet2-mi-best-practices-00.html> for a thorough discussion of related issues.]|
|Handle||A reference assigned to a user for the purpose of retrieving attributes about the user. The handle is not in any way linked to the identity of the user.|
|Handle Service||The Identity Provider component responsible for (indirectly) providing a handle to be used for making user attribute requests to an Identity Provider Attribute Authority.|
|Handle Service subject DN||The distinguished name of the Handle Service.|
|Handle Service URL||The Internet address of the Handle Service.|
|Higher Education Institution||A twoor four-year post-secondary, degree-granting institution that is regionally accredited by an agency on the U.S. Department of Education's list of Regional Institutional Accrediting Agencies (see http://www.incommonfederation.org/accrediting.cfm).|
|I2MI||The Internet2 Middleware Initiative (I2MI) was setup in 1999 and spawned the Shibboleth Project.
See also Internet2, Middleware, Shibboleth.
|IAMSECT||IAMSECT stands for 'Inter-institutional Authorisation Management to Support eLearning with reference to Clinical Teaching'.
IAMSECT is a JISC core middleware project to develop, test and disseminate practical approaches towards the adoption of Shibboleth technology within the UK.
We have a particular focus on the issues of Authorisation (vs. Authentication) especially within the realm of clinical teaching, a field which provides a rich variety of privacy issues to consider.
|Identifier||Unique pointer, within a certain context (namespace) to an identity|
|Identity||Description of a person or organisation, e.g. by a set of characteristics or attributes. To avoid schizophrenic views, a person or organisation can only have one identity, but multiple roles.
WordNet dictionary - the individual characteristics by which a thing or person is recognized or known;
|Identity||Identity is the set of information associated with a specific physical person or other entity. Typically a Credential Provider will be authoritative for only a subset of a person's identity information. What identity attributes might be relevant in any situation depend on the context in which it is being questioned.|
|Identity||The username used to identify an individual to an application. An individual may have multiple Identities, one per application.|
|Identity Credential||An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.|
|Identity Database||A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases.|
|Identity Federation||Identity federation allows users to present a single set of identity and authentication information to access applications and services across multiple domains and distributed, heterogeneous networks. A federated system allows a user’s identity in one domain to be used to gain access to resources in another domain without the need for separate authentication.|
|Identity Management||The comprehensive management and administration of user permissions, privileges, and individual profile data. It provides a single point of administration for managing the lifecycle of accounts and profile data.|
|Identity Management System||A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials.|
|Identity Provider||An identity provider is a service which asserts the identity of a user who is local to the institution running the provider.
See also Origin.
|Identity Provider||The originating location for a user. Previously called the Origin Site in the Shibboleth software implementation.|
|IdP||Acronym for Identity Provider.|
|IEEE LTSC||IEEE Learning Technology Standards Committee|
|InCommon CA Root Profile||The description of attributes and the data required to authenticate under the InCommon Certificate Authority (CA).|
|InCommon federation||InCommon is a formal federation of organizations focused on creating a common framework for trust in support of research and education. The primary purpose of the InCommon federation is to facilitate collaboration through the sharing of protected network-accessible resources by means of an agreed-upon common trust fabric. InCommon participation is separate from membership in Internet2.|
|InCommon Technical Advisory Committee||Group of individuals that provide technical guidance and direction for InCommon.|
|Increment||Used within the context of the USDP SDLC, refers to the defined output of a single USDP iteration. Within MAMS, the term ‘increment’ is synonymous with ‘stage increment’.|
|InQueue||InQueue is a test federation operated by Internet2. InQueue is designed to allow institutions to add test services and identity providers to an existing federation to aid in testing. See http://inqueue.internet2.edu/.
See also Federation, Internet2.
|InQueue||InQueue is a federation of organizations who are interested in using the Shibboleth technology and exploring how federations work prior to joining a production federation such as InCommon. Participation in InQueue is open to any technically qualifying organization. http://inqueue.internet2.edu/|
|Integrity||Establishing that an object has not been altered in any way.|
|Integrity||The assurance that information has not been changed or corrupted by an unauthorized party.|
|Internet2||Internet2 is a U.S. consortium of Universities which develops technologies to support education, such as Shibboleth.
See also Shibboleth.
|Intruder Lockout||Some systems monitor failed authentication attempts, and if too many attempts to sign on with a single account are detected, the account is locked. This mechanism is intended to deter intruders, who may attempt to guess the password for one or more accounts. Intruder lockout may also be triggered by users who persistently mistype their own passwords (e.g., with the Caps Lock or Num Lock key depressed). Intruder lockouts mean that authentication to the affected account is impossible, but an administrator has not intentionally disabled the account. Most systems differentiate between locked and disabled accounts.|
|IP||Acronym for Identity Provider. Might also refer to Internet Protocol.|
|IPR - Intellectual Property Rights||The rights given to people over the creations of their minds (WTO, 2003). In practice IPR most often refers to ownership rights of individuals, including copyrights, patents and trademarks.|
|IPsec||IPsec (Internet Protocol security) provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more "paths" between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. (The term "security gateway" is used throughout the IPsec documents to refer to an intermediate system that implements IPsec protocols. For example, a router or a firewall implementing IPsec is a security gateway (Source: http://www.ietf.org/rfc/rfc2401.txt).|
|Issuer||The CA that issues a certificate.|
|Iteration||Used within the context of the USDP SDLC, refers to the sequence of activities required to deliver an increment. As defined by the USDP, those software development activities typically include a mix of proposal; management; requirements gathering and analysis; software design; implementation; quality assurance and system deployment.|
|JISC||From the JISC website: 'The Joint Information Systems Committee (JISC) supports further and higher education by providing strategic guidance, advice and opportunities to use Information and Communications Technology (ICT) to support teaching, learning, research and administration.
JISC is funded by all the UK post-16 and higher education funding councils.'.
|JSTOR||A not-for-profit academic journal archive. See http://www.jstor.org/.|
|Kerberos||Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES.|
|LCMS||Learning Content Management System|
|LDAP - Lightweight Directory Access Protocol||An IETF standard for directory services.|
|LDAP directory||An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). LDAP is a widely adopted IETF standard directory access protocol well suited to the authentication and authorization needs of modern application architectures. SunONE Directory Server (formerly iPlanet Directory Server), Netscape Directory Server, OpenLDAP, Novell eDirectory, Oracle Internet Directory, and Microsoft Active Directory are examples of LDAP directories. (For more on this topic, see RFC1487 http://www.ietf.org/rfc/rfc1487.txt, RFC1777 http://www.ietf.org/rfc/rfc1777.txt, RFC2251 http://www.ietf.org/rfc/rfc2251.txt, and the LDAP Roadmap http://www.kingsmountain.com/ldapRoadmap.shtml.)|
|LDAP directory||An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). LDAP is a widely adopted IETF standard directory access protocol well suited to the authentication and authorization needs of modern application architectures.|
|LDIF - Lightweight Directory Inter-exchange Format||A protocol for exchange of information among LDAP directories.|
|Liberty Alliance||The Liberty Alliance Project [LibAll] consists of a diverse consortium of businesses whose common aim is to define an open standard framework, call for enabling business transactions via web services within a circle of trust or federation.|
|Liberty Alliance||A consortium of technology and consumer-facing organizations, formed in September 2001 to establish an open standard for federated network identity. http://www.projectliberty.org/|
|License||A license is a legal vehicle for granting an individual or organization an explicit collection of rights and conditions for the use or distribution of a copyrighted work.|
|LMS||Learning Management System|
|MAMS||Meta Access Management System, a 3-year AUD$4.2 million project funded by DEST, the Department of Education Science and Training in Australia, as part of 'Backing Australia's Ability'.|
|Meta Directory||Some organizations deploy a meta directory to synchronize user and user attributes between multiple user directories. A meta directory program is software that compares users and user attributes as defined on multiple systems, and automatically propagates changes made on an authoritative system to other systems. For example, if a user's HR record is updated with a new home telephone number, a meta directory might update the corporate e-mail system and LDAP directory with the same new information. Meta directory software normally implements a directory synchronization process.|
|metadata||Data about data, or information known about an object in order to provide access to the object. Usually includes information about intellectual content, digital representation data, and security or rights management information.|
|Meta-directory||The metadirectory represents processes where source data is captured, transformed, and presented in an Enterprise directory.|
|Middleware||Software that bridges the operation of two or more programs. JISC define Middleware as "the process of helping institutions to connect people to resources".
The term 'Core Middleware' refers to software services that provide authentication, authorisation, directory services and user identifiers. see http://www.jisc.ac.uk/index.cfm?name=middleware_team.
|Middleware||Software that mediates between an application program and a network. It manages the interaction between disparate applications across the heterogeneous computing platforms.|
|Milestone||Used within the context of the PRINCE2 methodology, refers to the defined output of a single PRINCE2 stage. Within MAMS, the term ‘milestone’ is synonymous with ‘project milestone’.|
|MPEG||Motion Pictures Experts Group|
|Multi-Channel Publishing||Enables content to easily be reused or repurposed, and delivered to different channels. These could include mobile devices, PDAs, print, and interactive television.|
|Namespace||A set of names in which all names are unique.|
|NetID||An electronic identifier created specifically for use with on-line applications, often an integer and typically with no other meaning.|
|Non-repudiation||Proof that an action was taken (e.g. an email sent) at a particular time and by a particular person or agent.|
|Non-repudiation||Assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data.|
|OASIS||Organization for Advancement of Structured Information Standards|
|OASIS||The Organization for the Advancement of Structured Information Standards (OASIS) is a standards body involved in the creation of international standards for electronic business. OASIS particularly focuses on standards for Web Services and security. see http://www.oasis-open.org/who/. OASIS are responsible for the SAML standard.
See also SAML.
|ODRL||Open Digital Rights Language|
|OeBF||Open eBook Forum|
|Offer||An offer to grant specific rights, or a request to be granted specific rights.|
|OGSA||Open Grid Service Architecture: A grid service in this context is a Web service tailored to the requirements of a grid environment. This architecture abstracts and virtualizes the hardware and software platform on which the grid services will run. Thus, it provides a mechanism to allow grid nodes to interact with each other through grid services, irrespective of their hardware/software platforms. Implemented in the GLOBUS toolkit (includes the security service, a managed job service that allows remote execution of programs, a file transfer service, and an information service that exposes and indexes information about the other services and system information). IBM WebSphere will implement it as well.|
|OGSI||Open Grid Service Infrastructure (OGSI), which defines a set of interfaces that every grid service must expose and implement.|
|Open Source Software||Software where the source code is available for anyone to extend or modify. http://www.opensource.org/|
|Open Source Software||Software that is freely available for use and distribution by anyone. This term usually also implies the existence of an open community of developers who contribute to the code base, accept specific open source licensing terms and share information about the initiative. Some open source licenses require that any derivative works based on open source software also be made available to others under the same open source license terms.|
|Origin||Origin is an alternative name for a Shibboleth Identity Provider.
See also Identity Provider.
|Orphan Account||An orphan account is an account belonging to a user who has left the organization.|
|PA - Participant Agreement||This is the "contract" that a potential Participant signs when they are accepted by the Federation. This document outlines information such as fees, and responsibilities to participate in InCommon.|
|Participant||An organization accepted into the InCommon Federation that has met all the criteria for participation as either a higher education institution or a Sponsored Partner.|
|Password||A password is a secret string of characters that a user types when signing into a system, to prove his identity. Identity is established by virtue of the assumption that no other person knows the user's password. This implies that the password is difficult to guess, is not written down, and has not been shared with others.|
|Password Change||A password change is a routine process whereby a user, who knows his own password, selects a new, replacement password value for use on one or more systems.|
|Password Management||Refers to self-service password resets, password synchronization and delegated user administration.|
|Password Reset||A password reset is some process where a user who has either forgotten his own password, or triggered an intruder lockout on his own account, can authenticate with something other than his password, and have a new password administratively set on his account. Assisted password resets are similar to self-service password resets (self-service-reset), but with the intervention of a support analyst.|
|Password Synchronization||A password synchronization system is any software or process used to help users maintain a single password value on multiple passwordprotected systems. Password synchronization may be optional or mandatory. Users may be encouraged to synchronize their passwords manually, or provided with an automated system for updating multiple|
|PERMIS||PrivilEge and Role Management Infrastructure Standards Validation:
The PERMIS project intends to explore and to demonstrate the feasibility of the distributed approach. The fundamental objective is to set-up and to demonstrate an "infrastructure" able to solve both the AUTHENTICATION and the AUTHORISATION issues, letting each attribute owner or manager directly certify the attributes of individuals.
|Persistent Rights Management||Associating rights with a work in a way that persists as the work moves through a network and is used by different applications, platforms and people.|
|personal secret||Used in the context of this document, is synonymous with password, pass phrase or PIN. It enables the holder of an electronic identifier to confirm that s/he is the person to whom the identifier was issued|
|PKI - Public Key Infrastructure||Public Key Infrastructure: The PKI includes the Certificate Authority (CA), key directory, and management. Other components such as key recovery, and registration, may be included. The result is a form of cryptography in which each user has a public key and a private key.
Messages are sent encrypted with the receiver's public key; the receiver decrypts them using the private key.
|PKI - Public Key Infrastructure||Short for public key infrastructure, a system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction. PKIs are currently evolving and there is no single PKI or even a single agreed-upon standard for setting up a PKI. However, nearly everyone agrees that reliable PKIs are necessary before electronic commerce can become widespread. A PKI is also called a trust infrastructure.|
|PKI - Public Key Infrastructure||The set of standards and services that facilitate the use of public-key cryptography in a networked environment.|
|Policies||Statements that outline the process and procedures that will be followed.|
|Policy-Based Access Control||Policy-based access control is a strategy for managing user access to one or more systems, where business classification of users is combined with policies to determine what access privileges a user should have. Theoretical privileges are compared to actual privileges, and differences are automatically applied. For example, a role may be defined for a territory sales manager. Specific types of accounts on the network, sales-force automation software and document management system may be attached to this role. Appropriate users are then attached to this role.|
|POP - Participant Operating Practices||This document describes how InCommon Participants need to describe their credential and identity management system.|
|PRINCE2||Projects In Controlled Environments 2. A Project Management Methodology which has become a de facto standard for management of large IT projects.|
|Privacy||The anonymity and secrecy of information, i.e. preventing others from obtaining information about you or the things you are doing.|
|Privileges||A privilege is the right to do something on a system. Privileges normally relate either to the ability to access data (e.g., update a payroll record) or the ability to use some feature (e.g., surf the Internet).|
|Profile||Data comprising the broad set of attributes that may be maintained for an identity, and the data required to authenticate under that identity.|
|Project Milestone||see Milestone|
|Protection||Protecting a work from unauthorized use.|
|Provisioning||The process of adding identities to an identity store and establishing initial credentials and entitlements for them. Deprovisioning works in the opposite manner, resulting in the deletion or deactivation of an identity. Provisioning and deprovisioning typically work with identity integration services to propAgate additions, deletions, and deactivations to connected identity stores.|
|Provisioning||The process of providing customers or clients with accounts, the appropriate access to those accounts, all the rights associated with those accounts, and all of the resources necessary to manage the accounts. When used in reference to a client, provisioning can be thought of as a form of customer service.|
|Provisioning||The process of providing users with access to data and technology resources. The term typically is used in reference to enterprise-level resource management. Provisioning can be thought of as a combination of the duties of the human resources and IT departments in an enterprise, where (1) users are given access to data repositories or granted authorization to systems, applications and databases based on a unique user identity, and (2) users are appropriated hardware resources, such as computers, mobile phones and pagers. The process implies that the access rights and privileges are monitored and tracked to ensure the security of an enterprise's resources.|
|Pubcookie||Pubcookie is an open-source single sign-on technology based on the WebISO standard. It allows institiutes to leaverage existing password stores, e.g. microsofts active directory, to provide web based single signon.|
|Public / Private key encryption||An encryption approach whereby encryption is done using a user’s public key, but decryption can only be done through the user’s private key, which is never shared outside of the user’s environment. Knowing the public key does not make it possible to derive the private key and decrypt the content.|
|Public Domain||A rights holder can place their content completely into the public domain. However, in the academic community accepted practice still dictates that attribution should occur when public domain content is used.|
|Public Key Cryptography||A cryptographic technique that uses two keysthe first key is always kept secret by an entity, and the second key, which is uniquely linked to the first one, is made public. Messages created with the first key can be uniquely verified with the second key.|
|PUI - Persistent Unique Identifier||A centrally registered identifier system that provides both a globally unique identifier for every separate piece of content, and a registry for accessing and maintaining accurate location information for that asset.|
|RBAC - Role-based Access Control||Access control that is granted based on your role within an organization (e.g. teacher, student, system administrator). Roles may be established through authentication and directory services or by other means, such as logging on through a campus IP address.|
|RBAC - Role-Based Access Control||In the context of a single system, role-based access control (RBAC) means a process where access privileges on a single system are grouped into roles, and users are attached to roles as a convenient mechanism to manage their privileges. Implementation of single system RBAC is simple, and almost every modern operating system and database supports roles or privilege groups. In the context of a user provisioning across multiple systems, RBAC means that types of accounts on multiple systems are grouped into roles, and users are attached to roles as a convenient mechanism to control user privileges across multiple systems. Implementation of multi-system RBAC is complex, since users may belong to multiple roles, which specify different or conflicting privileges on the same system. User classification, role definition and conflict resolution make multi-system RBAC a significant challenge.|
|RDD - Rights Data Dictionary||A standardized vocabulary for expressing rights and conditions in a rights expression language|
|Registry||The registry is the system in which identity of resources is resolved. This often refers to a database component of the enterprise directory.
Alt. def.: Data taken from multiple source/owner systems to which "intelligence" has been applied in preparation for feed to one or more directories, applications, or other consumer systems. Further "intelligence" may be applied as part of any individual feeding process. Registry data may be housed in a relational database, indexed files, or a directory server.
|REL||Rights Expression Language|
|REL - Rights Expression Language||A human and machine interpretable language for expressing rights, licenses, offers and other rights concepts.|
|Relying party||A recipient of a certificate who acts in reliance on that certificate and/or any digital signatures verified using that certificate. http://www.ietf.org/rfc/rfc3647.txt|
|Right||A right or permission is “the most that one can do with a resource.” It specifies how one may access or utilize a resource.|
|Rights Enforcement||Using technology to ensure that rights are not violated. For example, creating an Adobe PDF with protection that prevents it from being printed is not an act of enforcement. The enforcement occurs when you try to print the file and can’t.|
|Rights Expression||The expression of IPR (including copyright, distribution rights, licenses and license requirements, and attribution and attribution requirements) associated to a resource. The expression of rights is separate from their enforcement.|
|Role||The specific right and duties and activities that a person or organisation (an identity) has/does within a certain context. A role is usually characterised by a subset of an identity's attributes. For example, being a professor at Macquarie University and a member of the E-Learning community. An identity can have multiple roles, and each role should have a unique identifier.|
|RP - Resource Provider||A campus or other organization that makes online resources available to users based in part on information about them that it receives from other InCommon participants.|
|RPC||Remote Procedure Calls, allowing a client to call a procedure on a server.|
|SA||A Security Association (SA) is a simplex "connection" that affords security services to the traffic carried by it.|
|SAML||A security standard, created by OASIS, which is use to create a federation. SAML is defined by OASIS as a "Security Assertion Markup Language, an XML-based security specification for exchanging authentication and authorization information".
See also OASIS.
|SAML||Sercurity Assertion Markup Language - a standard, developed by the OASIS Security Services Technical Committee, for the exchange of authentication and authorization information across security domains.|
|SCORM||Sharable Content Object Reference Model|
|SDLC||System Development Lifecycle (equiv. Software Development Lifecycle)|
|SDSS||The Shibboleth Development and Support Services at EDINA, an Edinburgh based JISC-funded national data centre, is a Shibboleth Federation for managing UK online resources.
|Security||The prevention of unauthorized access and use via a combination of some or all of the other functions in this section.|
|Self-Service Password||Signature Methods Analyze the characteristics of a signature. Characteristics recorded include: speed, sequence, and pressure. Signature recognition technologies require a digital input tablet, compatible electronic pen, and supporting software.|
|Service Provider||A service provider is a web-based service which is protected by Shibboleth.
See also Target.
|Session Key||An encryption key that only works for a particular session.|
|Shibbleth||A principle or an old thought which holds true to a specific sect or a movement.|
|Shibboleth||Shibboleth is a combination of software and a federated trust model to support the sharing of resources between institutions such as Universities. Shibboleth was originally developed by the Internet2 group and is being tested and explored by a number of JISC projects (such as IAMSECT) to assess its suitability within the UK.
See also Internet2.
|Shibboleth®||Software developed by Internet2 to enable the sharing of web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies that control what information about a user can be released to each destination. For more information on Shibboleth please visit http://shibboleth.internet2.edu/shib-uses.html.|
|Shibbolize||Shibbolize, verb. 'to Shibbolize': Adjust a Service so that access via Shibboleth is possible.
See also Service Provider, Shibboleth.
|SHIRE||The SHIRE is a component of the Shibboleth Target software. It is responsible for managing authentication.
See also Shibboleth, Target.
|Signature Methods||Analyze the characteristics of a signature. Characteristics recorded include: speed, sequence, and pressure. Signature recognition technologies require a digital input tablet, compatible electronic pen, and supporting software.|
|Sign-off||Within the context of management document descriptions, refers to the declaration that a document is complete and, in the case of proposals and plans, ready for submission to the appropriate management entity for Approval.|
|Single key encryption||An encryption approach where the same key is used to encrypt and decrypt content.|
|Smart Card||A small electronic device about the size of a credit card that contains electronic memory, and possibly an embedded integrated circuit (IC). Smart cards containing an IC are sometimes called Integrated Circuit Cards (ICCs). Smart cards are used for a variety of purposes, including:
1) Storing a patient's medical records
2) Storing digital cash
3) Generating network IDs (similar to a token). To use a smart card, either to pull information from it or add data to it, you need a smart card reader, a small device into which you insert the smart card.
|SOAP||Simple Object Access Protocol, esp. used for sending XML-based text messages across the Internet. It defines the message envelope (with a header to optionally describe security or transaction related info and a body for the data), encoding rules, RPC convention, and the binding with underlying protocols.
Java API: JAXM, SAAJ, JAX-RPC (JSR 101), JMS
|SP||Acronym for Service Provider.|
|Sponsored Partner||A business partner that provides resources to a higher education institution, and is sponsored for participation in InCommon by a participating higher education institution.|
|SSO||SSO stands for 'Single Sign On'.|
|SSO - Single Sign-On||Single Sign-On (SSO) is a term used to describe technology which allows a user to access multiple resources, whilst only having to authenticate once.
An example of a Single Sign-On technology is Pubcookie.
|SSO - Single Sign-On||An authentication process in a client/server relationship where the user, or client, can enter one name and password and have access to more than one application or access to a number of resources within an enterprise. Single sign-on takes away the need for the user to enter further authentications when switching from one application to another. Single sign-on is also spelled single sign on or single sign-on and abbreviated as SSO.|
|Stage||Used within the context of the PRINCE2 methodology, refers to the sequence of management activities required to deliver a project milestone, including management of product (software system) delivery using the USDP.|
|Stage Increment||see Increment|
|Support Contact||The Support Contact is the primary contact for error handling. The Support Contact may be a help desk or a designated support person.|
|Target||A Shibboleth Target is a Service, access to which is controlled by Shibboleth. Target is the name used in technical documents - Service Provider is the equivalent term for managerial documents.
See also Service Provider, Shibboleth.
|Technical Contact||The Technical Contact for InCommon serves as the primary point of contact for all technical issues for the organization participating in InCommon. The technical contact communicates with federation technical staff to ensure smooth operation of the federation's infrastructure.|
|Trust||A state that describes the agreements between different parties and systems for sharing identity information. A trust is typically used to extend access to resources in a controlled manner while eliminating the administration that would otherwise be incurred to manage the security principals of the other party. Trust mechanisms include cross-forest trusts in Windows Server 2003 and trusts between realms using the Kerberos v5 authN protocol.|
|Trusted Application||An application that interprets and enforces DRM rules.|
|Two-Factor Authentication||Two-factor authentication is authentication using any two different methods. The most popular two-factor system is a combination of hardware tokens and passwords.|
|UBL||Universisal Business Language|
|UDDI||Universal Description, Discovery and Integration, for publishing and finding web services. It consists of three views:
White pages - address, contact, and known identifier
Yellow pages - industry categorization
Green pages - technical information about services (in WSDL)
Java API: JAXR (JSR 67)
|URI - Uniform Resource Identifier||The name for identifying an abstract or physical resource.|
|URL - Uniform Resource Locator||The address of a resource accessible on the Internet. URLs are a subset of URIs.|
|URN - Uniform Resource Name||Refers to the subset of URIs that are required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable.|
|USDP||Unified Software Development Process. A de facto standard for software development based on object-oriented principles and use of the Unified Modelling Language (UML) for requirements specification and analysis and software design.|
|User||Any person who interacts directly with a computer system.|
|User Groups||A user group is a list of accounts on a system. User groups are used to simplify administration of privileges (i.e., assign privileges to the group, and actively manage just the membership of the group). User groups are also used for non-security functions, such as mailing lists.|
|User ID||On most systems, accounts are uniquely identified by a short string of characters. This is called the User ID, login ID or login name.|
|User ID Reconciliation||Users may have different User IDs (userids) on different systems. Any system intended to manage user access or authentication across multiple systems must begin by constructing profiles for each user, which attach User IDs on each system where that user has an account.|
|User Name||A unique handle assigned to each authorized user upon system registration.|
|USHER - US Higher Education Root||USHER is the replacement for the CREN Certificate Authority. USHER will issue Institutional Certificates to US institutions of higher education and is the certificate issuing authority for Internet2.|
|validation||The process of identification of certificate applicants.|
|Verification (1:1, Matching, Authentication)||The process of establishing the validity of a claimed identity by comparing a verification template to an enrollment template. Verification requires that an identity be claimed, after which the individual's enrollment template is located and compared with the verification template. Verification answers the question, "Am I who I claim to be?"|
|Virtual Organisation||A Virtual Organisation is one that is composed from people and resources belonging to a variety of different institutions, with no requirement for them to be geographically near to one another.|
|Virtual Organisations||At the heart of understanding the grid paradigm is the concept of virtual organizations, or VOs. A VO is set of individuals and/or institutions that are dynamically brought together to solve a problem. The VO might span multiple companies, academic organizations, or government departments that have an interest in solving a common problem. Interactions among members of the VO are governed by a well-defined set of rules. The sharing of resources is highly controlled, "with resource providers and consumers defining clearly and carefully just what is shared, who is allowed to share, and the conditions under which sharing occurs," according to Foster, Kesselman, and Tuecke in their paper, The Anatomy of the Grid: Enabling Scalable Virtual Organizations.|
|VO||VO is an acronym for Virtual Organisation.|
|Watermarking||Data embedded in content in a way that is imperceptible to the user, but that can be detected by special watermarking software. Allows content to be identified if it is copied.|
|WAYF||A 'Where Are You From' service. This service allows a user to select their home institution's Identity Provider and redirects them there to be authenticated.
A Service Provider can define the WAYF to direct un-authenticated users to.
A WAYF is typically ran on behalf of a federation.
See also Service Provider, Identity Provider, Federation.
|WAYF - Where Are You From||A server used by the Shibboleth software to determine what a user's home organization is.|
|WAYF service||Where Are You From service, allowing the user to associate himself with a chosen institution, and redirecting the user to the known address for the handle service of that institution.|
|Web Access Management||The use of identity information to authenticate users and authorize access to multiple Web applications.|
|Web-Based Password Synchronization||A Web-based password synchronization system is one where users access a new user interface, normally through a Web browser, to update multiple passwords at once, and hence synchronize them. Users are intended to use the new user interface instead of the existing "native" password update facilities on the systems where they have login accounts.|
|webISO||webISO or "Web Initial Sign-on" is a term coined by the middleware group out in the states to describe the variety of project designed to allow single sign on for web applications.|
|Web-SSO - Web Single Sign-On||Web single sign-on systems consist of an agent installed on Web servers, and a central infrastructure that includes a directory and servers or logic to manage authentication and access control. When users attempt to access a Web SSO-enabled Web server or Web application, the Web-SSO agent redirects the user's Web browser to an authentication server, where the user signs in. The Web browser is then redirected back to the requested Web application and the user can access the application or Web content. When an already authenticated user accesses another Web application, the agent on the Web application retrieves the user's validated credentials, thus eliminating any need for the user to sign on again. Web-SSO systems also incorporate access control mechanisms, where either the agent installed on each Web server, or the Web applications themselves (using an API), may check whether a user is entitled to access data or functions. Most Web-SSO systems also include a distributed administration interface, for defining new user accounts and managing existing ones.|
|Workflow||Supports the routing of documents and content between individuals and processes. Enables features such as document approval.|
|WSDL||Web Services Description Language; an industry agreed upon XML language, where a WS is described as a set of communication endpoints (ports) that are capable of exchanging messages. A port consist of two parts: an abstract definition of operations and messages, and a concrete binding to message formats and a network protocol (e.g. SOAP over HTTP). The reason for this split is the ability to reuse the definition for future network protocols.
The rationale for WSDL is that is allows to automate communication details (machine readable communication), it makes it easier to discover services through a registry, and finally, a 3rd party can verify its conformance to standards.
Java API: Java API for WSDL, (JSR 110), JAX-RPC (JSR 101)
|WS-Federation||This specification defines mechanisms that are used to enable identity, account, attribute, authentication, and authorization federation across different trust realms.
By using the XML, SOAP and WSDL extensibility models, the WS* specifications are designed to be composed with each other to provide a rich Web services environment. WS-Federation by itself does not provide a complete security solution for Web services. WS-Federation is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models.
|WSIA||Web Service for Interactive Applications|
|WS-PolicyAssertion||This document specifies a set of common message policy assertions that can be specified within a policy.
By using the XML, SOAP, and WSDL extensibility models, the WS* specifications are designed to be composed with each other to provide a rich Web services environment. WS-PolicyAssertions by itself does not provide a negotiation solution for Web services. WS-PolicyAssertions is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of policy exchange models.
|WS-PolicyFramework||The Web Services Policy Framework (WS-Policy) provides a general purpose model and corresponding syntax to describe and communicate the policies of a Web service. WS-Policy defines a base set of constructs that can be used and extended by other Web services specifications to describe a broad range of service requirements, preferences, and capabilities.
- WS-Policy provides a flexible and extensible grammar for expressing the capabilities, requirements, and general characteristics of entities in an XML Web services-based system.
- WS-Policy defines a policy to be a collection of one or more policy assertions.
- WS-Policy stops short of specifying how policies are discovered or attached to a Web service.
|WSRP||Web Service for Remote Portals|
|WS-SecureConversation||The Web Services Secure Conversation Language (WS-SecureConversation) is built on top of the WS-Security and WS-Policy models to provide secure communication between services. WS-Security focuses on the message authentication model but not a security context, and thus is subject several forms of security attacks. This specification defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable a secure conversation.
By using the SOAP extensibility model, modular SOAP-based specifications are designed to be composed with each other to provide a rich messaging environment. As such, WS-SecureConversation by itself does not provide a complete security solution. WS-SecureConversation is a building block that is used in conjunction with other Web service and application-specific protocols (for example, WS-Security) to accommodate a wide variety of security models and technologies.
|WS-Security||Security Standard (JSR 183), Delivering a technical foundation for implementing security functions such as integrity and confidentiality in messages implementing higher-level Web services applications.|
|WS-SecurityPolicy||By using the XML, SOAP and WSDL extensibility models, the WS* specifications are designed to be composed with each other to provide a rich Web services environment. WS-SecurityPolicy by itself does not provide a complete security solution for Web services. WS-SecurityPolicy is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models.|
|WS-Trust||The Web Services Trust Language (WS-Trust) uses the secure messaging mechanisms of WS-Security to define additional primitives and extensions for the issuance, exchange and validation of security tokens. WS-Trust also enables the issuance and dissemination of credentials within different trust domains.
In order to secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). However, each party needs to determine if they can "trust" the asserted credentials of the other party. This specification defines extensions to WS-Security for issuing and exchanging security tokens and ways to establish and access the presence of trust relationships. Using these extensions, applications can engage in secure communication designed to work with the general Web Services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates, and SOAP messages.
|XACML||Representing and evaluating access control policies.|
|XKMS||Security Standard - Extensible Key Management Specification|
|XML||Short for Extensible Markup Language, a specification developed by the W3C. XML is a pared-down version of SGML, designed especially for Web documents. It allows designers to create their own customized tags, enabling the definition, transmission, validation, and interpretation of data between applications and between organizations.
Java API: JAXP for parsing and transforming XML documents (you have to create objects yourself), JAXB for XML data binding (allows automatic creation of objects); Streaming API (JSR 173)
|XML Digital Signature||Security Standard (JSR 105 - for authentication, non-repudiation, and tamper-proofing)|