5 C

CA: See certification authority (CA).

canonical name: A syntactic transformation of an Active Directorydistinguished name (DN) into something resembling a path that still identifies an object within a forest. DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the canonical name "microsoft.com/NTDEV/Peter Houston", while the DN "dc=microsoft, dc=com" translates to the canonical name "microsoft.com/".

CAPI: See Cryptographic Application Programming Interface (CAPI) or CryptoAPI.

causality identifier (CID): A GUID that is passed as part of an ORPC call to identify a chain of calls that are causally related.

CEIP: See Customer Experience Improvement Program (CEIP).

CEIP data: Anonymous information contained in a set of files that describes usability, performance, reliability, and quality metrics. This data is used by a Customer Experience Improvement Program (CEIP).

certificate: (1) A certificate is a collection of attributes and extensions that can be stored persistently. The set of attributes in a certificate may vary depending on the intended usage of the certificate. A certificate securely binds a public key to the entity that holds the corresponding private key. A certificate is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standards. For more information on attributes and extensions, see [RFC3280] and [X509] sections 7 and 8.

(2) When referring to X.509v3 certificates, that information consists of a public key, a distinguished name (DN) of some entity assumed to have control over the private key corresponding to the public key in the certificate, and some number of other attributes and extensions assumed to relate to the entity thus referenced. Other forms of certificates can bind other pieces of information.

certificate authority (CA): See certification authority (CA).

certificate chain: A sequence of certificates, where each certificate in the sequence is signed by the subsequent certificate. The last certificate in the chain is normally a self-signed certificate.

certificate issuance: See certification.

certificate manager: See certification authority (CA).

certificate revocation: The process of invalidating a certificate. For more information, see [RFC3280] section 3.3.

certificate revocation list (CRL): A list of certificates that have been revoked by the certification authority (CA) that issued them (that have not yet expired of their own accord). The list must be cryptographically signed by the CA that issues it. Typically, the certificates are identified by serial number. In addition to the serial number for the revoked certificates, the CRL also contains the revocation reason for each certificate and the time the certificate was revoked. As specified in [RFC3280], two types of CRLs commonly exist in the industry. Base CRLs keep a complete list of revoked certificates, while delta CRLs maintain only those certificates that have been revoked since the last issuance of a base CRL. For more information, see section 7.3 of [X509], [MSFT-CRL], and section 5 of [RFC3280].

certificate services: The Microsoft implementation of a certification authority (CA) that is part of the server operating system. Certificate services include tools to manage issued certificates, publish CAcertificates and CRLs, configure CAs, import and export certificates and keys, and recover archived private keys.

certificate store: A database of certificates, or certificates and the accompanying private key. Used to store a variety of certificates with different attributes or constraints.

certificate template: A list of attributes that define a blueprint for creating an X.509certificate. It is often referred to in non-Microsoft documentation as a "certificate profile". A certificate template is used to define the content and purpose of a digital certificate, including issuance requirements (certificate policies), implemented X.509 extensions such as application policies, key usage, or extended key usage as specified in [X509], and enrollment permissions. Enrollment permissions define the rules by which a certification authority (CA) will issue or deny certificate requests. In Windows environments, certificate templates are stored as objects in the Active Directory and used by Microsoft enterprise CAs.

certification: The certificate request and issuance process whereby an end entity (EE) first makes itself known to a certification authority (CA) (directly, or through a registration authority) through the submission of a certificate enrollment request, prior to that CA issuing a certificate or certificates for that EE.

certification authority (CA): (1) A third party that issues public keycertificates. Certificates serve to bind public keys to a user identity. Each user and certification authority (CA) may decide whether to trust another user or CA for a specific purpose, and whether this trust should be transitive.

(2) A software component that issues digital (X.509) certificates to identities based on a public/private key pair. For more information, see [RFC3280].

challenge: A piece of data used to authenticate a user. Typically a challenge takes the form of a nonce.

Challenge-Handshake Authentication Protocol (CHAP): A protocol for user authentication to a remote resource. For more information, see [RFC1994] and [RFC2759].

challenge/response authentication: A common authentication technique in which a principal is prompted (the challenge) to provide some private information (the response) to facilitate authentication.

Challenge-Response Protocol: A type of authentication protocol in which the authentication is carried by sending a challenge from one party to another, with the other party providing a response that proves its identity.

change journal: The database to which records of file or directory changes are written by the NTFS file system. Each volume on a system has its own change journal.

change order: A message that contains information about a file or folder that has changed on a replica. The change order is sent to the member's outbound partners. If the outbound partners accept the change, the partners request the associated staging file. After installing the changed file in their individual replica trees, the partners propagate the change order to their outbound partners.

chart data region: A report item on a report layout that displays data in a graphical format.

checksum: A value that is the summation of a byte stream. By comparing the checksums computed from a data item at two different times, one can quickly assess whether the data items are identical.

child object, children: An object that is not the root of its tree. The children of an objecto are the set of all objects whose parent is o.

chunks: The pieces of a file defined by the cut points.

CIM: See Common Information Model (CIM).

cipher: A cryptographic algorithm used to encrypt and decrypt files and messages.

cipher suite: A set of cryptographic algorithms used to encrypt and decrypt files and messages.

ciphertext: The encrypted form of a message. Ciphertext is achieved by encrypting the plaintext form of a message, and can be transformed back to plaintext by decrypting it with the proper key. Without that transformation, a ciphertext contains no distinguishable information.

claim: An assertion about a security principal expressed as an n-tuple containing an {Identifier, ValueType and m-Values of type ValueType} where m > = 1. A claim with only 1 value in the n-tuple is called a single-valued claim and a claim with more than 1 value is called a multi-valued claim.

class: User-defined binary data that is associated with a key.

class factory: An object (3 or 4) whose purpose is to create objects (3 or 4) from a specific object class (3 or 4).

class identifier (CLSID): A GUID that identifies a software component; for instance, a DCOM object class (4) or a COM class.

class store container distinguished name (class store container DN): A distinguished name (DN) of the form "CN=Class Store,<scoped gpo dn>" where <scoped gpo dn> is a Scoped Group Policy Object (GPO)DN. The class store container DN refers to an object of objectClass "classStore" in the Active Directory schema.

client: (1) A computer on which the remote procedure call (RPC) client is executing.

(2) An execution environment that holds object references and issues object RPC (ORPC) calls.

(3) In DFS-R, a replicating machine acts as a client when it receives replicated files from its upstream partner. Use of the terminology client stipulates that the machine contact its upstream server, and is responsible for initiating communication related to receiving replicated files. It does not imply anything about the operating system version or the function of the machine.

(4) The sending endpoint of a web services request message, and receiver of any resulting web services response message.

client area: (1) The area of the desktop that is available for a window or notification icon to paint on.

(2) In an application, the display area that is used to create data, such as drawing or typing functions. The client area does not include toolbars, menus, or status bars.

client challenge: A 64-bit nonce generated on the client side.

client computer: (1) A computer that instigates a connection to a well-known port on a server.

(2) A computer that receives and applies settings from a Group Policy Object (GPO), as specified in [MS-GPOL].

client context: A context describing an execution environment from which an activation request has originated.

client locator: A service that enables lookup of entries exported to the remote procedure call (RPC) name service.

client/server mode: A mode that consists of one server with many client connections (one-to-many). From the perspective of each client, there is only one connection: the connection to the server.

client-side extension (CSE): A Group Policy extension that resides locally on the Group Policy client and is identified by a client-side extension GUID (CSE GUID).

client-side extension GUID (CSE GUID): A GUID that enables a specific client-side extension on the Group Policy client to be associated with policy data that is stored in the logical and physical components of a Group Policy Object (GPO) on the Group Policy server, for that particular extension.

cluster: A group of computers that are able to dynamically assign resource tasks among nodes in a group.

cluster name: The computer name that is associated with a cluster, rather than with a single computer system.

cluster size: See allocation unit size.

cluster state: A state that consists of all the non-volatile configuration data and volatile current status data that is maintained by the cluster and accessible to active nodes.

CN: See common name (CN).

CNG: See Cryptography API: Next Generation (CNG).

coalesced payload: A special form of payload that consists of multiple traditional payloads combined into a single packet.

code page: An ordered set of characters of a specific script in which a numerical index (code-point value) is associated with each character. Code pages are a means of providing support for character sets and keyboard layouts used in different countries. Devices such as the display and keyboard can be configured to use a specific code page and to switch from one code page (such as the United States) to another (such as Portugal) at the user's request.

collision-resistant hash function: A hash function having the property that, in practice, differing inputs do not produce the same hash (that is, they do not collide).

color profile: A file that contains information about how to convert colors in the color space and the color gamut of a specific device into a device-independent color space. A device-specific color profile is called a "device profile". For more information on using color and device profiles, see [MSDN-UDP].

COM: See Component Object Model (COM).

COM class: An object class (3).

commit request: The action that is performed by a root application to initiate the Two-Phase Commit Protocol for an atomic transaction.

Common Information Model (CIM): An object-oriented information model that provides a conceptual framework for describing management data, as specified in [DMTF-DSP0004].

Common Information Model (CIM) class: A collection of Common Information Model (CIM) instances that support the same type, that is, the same CIM properties and CIM methods, as specified in [DMTF-DSP0004].

Common Information Model (CIM) instance: Provides values for the CIM properties associated with the CIM instance's defining CIM class. A CIM instance does not carry values for any other CIM properties or CIM methods that are not defined in (or inherited by) its defining CIM class. For more information, see [DMTF-DSP0004].

Common Information Model (CIM) method: An operation describing the behavior of a CIM class or a CIM instance. It is generally an action that can be performed against the manageable entity made of a CIM class.

Common Information Model (CIM) namespace: A logical grouping of a set of Common Information Model (CIM) classes designed for the same purpose or sharing a common management objective within the database used to store all CIM class definitions. This is a term mostly referenced in the Windows Management Instrumentation (WMI) implementation.

Common Information Model (CIM) object: An object that represents a Common Information Model (CIM) object. This may be either a CIM class or a CIM instance of a CIM class.

Common Information Model (CIM) Object Manager (CIMOM): A component that implements a set of operations used to access and manipulate Common Information Model (CIM) objects.

Common Information Model (CIM) path: A string expression locating a class or an instance of a class in the operating system. The CIM path includes the computer name, the namespace, the name of CIM class, and the unique identifier locating the CIM class or CIM instance.

Common Information Model (CIM) property: Assigns values used to characterize instances of a CIM class. A CIM property can be thought of as a pair of Get and Set functions that, when applied to an object, return state and set state, respectively. For more information, see [DMTF-DSP0004].

Common Information Model (CIM) qualifier: Used to characterize named elements, as specified in [DMTF-DSP0004]. For example, there are CIM qualifiers that define the characteristics of a CIM property or the key of a CIM class.

Common Information Model (CIM) relative path: A string expression where elements like the computer and/or the namespace of the CIM class and/or CIM instance are not used.

common name (CN): A string attribute of a certificate that is one component of a distinguished name (DN). In Microsoft Enterprise uses, a CN must be unique within the forest where it is defined and any forests that share trust with the defining forest. The website or email address of the certificate owner is often used as a common name. Client applications often refer to a certification authority (CA) by the CN of its signing certificate.

Compact Disc File System (CDFS): A file system used for storing files on CD-ROMs.

Component Object Model (COM): An object-oriented programming model that defines how objects interact within a single process or between processes. In COM, clients have access to an object through interfaces implemented on the object. For more information, see [MS-DCOM].

compression chunk: When compression is used for replication data, the data is divided into smaller units that are suitable for the particular algorithm. The chunk size is specific to the compression algorithm being employed.

computer account: See machine account.

computer account object: An objecto of class user such that o.userAccountControl and ADS_UF_WORKSTATION_TRUST_ACCOUNT ≠ 0.

computer name: The DNS or NetBIOS name.

computer object: An object of class computer. A computer object is a security principalobject; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system.

computer policy mode: A mode of policy application intended to retrieve settings for the computer account of the client.

computer-scoped Group Policy Object distinguished name: A scoped Group Policy Object (GPO)distinguished name (DN) that begins with "CN=Machine".

computer-scoped Group Policy Object path: A scoped Group Policy Object (GPO) path that ends in "\Machine".

configuration naming context (config NC): A naming context (NC) containing configuration information. In Active Directory, a single config NC is shared among all domain controllers (DCs) in the forest.

connection: (1) Each user that has a session with a server can create multiple share connections, or resource connections, using that user ID. This resource connection is created using a tree connect Server Message Block (SMB) and is identified by an SMB TreeID or TID.

(2) Firewall rules are specified to apply to connections. Every packet is associated with a connection based on TCP, UDP, or IP endpoint parameters; see [IANAPORT].

(3) In DFS-R, a pair of client and server replication partners.

(4) In OleTx, an ordered set of logically related messages. The relationship between the messages is defined by the higher-layer protocol, but they are guaranteed to be delivered exactly one time and in order relative to other messages in the connection.

connection-oriented NTLM: A particular variant of NTLM designed to be used with connection-oriented remote procedure call (RPC).

connection-oriented RPC: A remote procedure call (RPC) protocol dialect built on top of an RPC transport that supports connections. For more information, see [C706-Ch12RPC_PDU_Encode].

connection security rule: A group of settings that specify how and when connections into and out of a client computer should be protected using Internet Protocol security (IPsec).

connection type: A specific set of interactions between participants in an OleTx protocol that accomplishes a specific set of state changes. A connection type consists of a bidirectional sequence of messages that are conveyed by using the MSDTC Connection Manager: OleTx Transports Protocol and the MSDTC Connection Manager: OleTx Multiplexing Protocol transport protocol, as described in [MS-CMPO] and [MS-CMP]. A specified transaction typically involves many different connection types during its lifetime.

ConnectionId: A GUID that uniquely identifies a connection.

connectionless NTLM: A particular variant of NTLM designed to be used with connectionless RPC.

connectionless RPC: An RPC protocol dialect built on top of an RPC transport that does not support connections. For more information, see [C706-Ch12RPC_PDU_Encode].

constrained delegation: A Windows feature used in conjunction with S4U2proxy. This feature limits the proxy services for which the application service is allowed to get tickets on behalf of a user.

constructed attribute: An attribute whose values are computed from normal attributes (for read) and/or have effects on the values of normal attributes (for write).

contact identifier: A universally unique identifier (UUID) that identifies a partner in the MSDTC Connection Manager: OleTx Transports Protocol. These UUIDs are frequently converted to and from string representations. This string representation must follow the format specified in [C706-AppendixAUUID]. In addition, the UUIDs must be compared, as specified in [C706-AppendixAUUID].

container: An object in the directory that can serve as the parent for other objects. In the absence of schema constraints, all objects would be containers. The schema allows only objects of specific classes to be containers.

content set: See replicated folder.

ContentSetId: The GUID assigned to a specific replicated folder within a replica set.

context: A collection of context properties that describe an execution environment.

context identifier: A GUID that identifies a context.

context property: An attribute of an execution environment.

context property identifier: A GUID that identifies a context property.

control access right: (1) An extended access right that can be granted or denied on an access control list (ACL).

(2) A variable access type with a specialized access GUID identifying the specific access type.

Control menu: See Window menu.

conversation callback: A remote procedure call (RPC) request/response message exchange initiated by an RPC Server and received by an RPC Client. The message exchange is internal to the connectionless RPC engine.

Coordinated Universal Time (UTC): A high-precision atomic time standard that approximately tracks Universal Time (UT). It is the basis for legal, civil time all over the Earth. Time zones around the world are expressed as positive and negative offsets from UTC. In this role, it is also referred to as Zulu time (Z) and Greenwich Mean Time (GMT). In these specifications, all references to UTC refer to the time at UTC–0 (or GMT).

Copychunk Resume Key: A 24-byte value generated by a Server Message Block (SMB) server in response to a request by an SMBclient that uniquely identifies an open file on the SMB server. A Copychunk Resume Key is used by SMB server-side data movement operations between files without requiring the data to be read by the client and then written back to the server.

Note that this is different from the resume key specified in [MS-CIFS] section that is returned by the server in response to a TRANS2_FIND_FIRST2 subcommand of an SMB_COM_TRANSACTION2 client request.

core Group Policy engine: The software entity that implements the Group Policy: Core Protocol [MS-GPOL]. The core Group Policy engine issues the message sequences that result in core protocol network traffic during policy application on Group Policy clients. The engine handles functions on behalf of the core protocol such as the Group Policy refresh interval, GPO and policy file access, GPO filtering and ordering, and invoking transport protocols for retrieving and storing policy settings.

core transaction manager facet: The facet that acts as the internal coordinator of each transaction that is inside the transaction manager. The core transaction manager facet communicates with other facets in its transaction manager to ensure that each transaction is processed correctly. To accomplish this, the core transaction manager facet maintains critical transaction state, in both volatile memory and in a durable store, such as in a log file.

correlation: In an Interface Definition Language (IDL) file, the runtime properties of one argument dictate the allowed runtime properties of another argument.

crash dump file: A file that may be created by an operating system when an unrecoverable fault occurs. This file contains the contents of memory at the time of the crash and may be used to debug the problem.

credential: Previously established authentication data, such as a password, that is used by a security principal to establish its own identity. When used in reference to the Netlogon Protocol, it is the data stored in the NETLOGON_CREDENTIAL structure.

critical object: A subset of the objects in the default naming context (NC), identified by the attribute isCriticalSystemObject having the value TRUE. The objects that are marked in this way are essential for the operation of a domain controller (DC) hosting the NC.

cross-certification: The certificate issuance process by which two certificate authorities (CAs), CA1 and CA2, issue specialized certificates so that any relying party (RP) that has CA1 in its trust root but not CA2 can link from CA1 to CA2 and thereby validate certificates in the hierarchy under CA2 and make use of those. For more information on cross-certification, see section 3.5 of [RFC3280]. For an introduction to cross-certificates and cross-certification, see [MSFT-CROSSCERT].

cross-certificate: An X.509digital certificate issued between two existing independent certificate authorities (CAs) for the purpose of extending or constraining PKI trust hierarchies. A cross-certificate is specified in section 3.3.21 of [X509]. For an introduction to cross-certificates and cross-certification, see [MSFT-CROSSCERT].

crossRef object: An object residing in the partitions container of the config NC that describes the properties of a naming context (NC), such as its domain naming service name, operational settings, and so on.

Cryptographic Application Programming Interface (CAPI) or CryptoAPI: The Microsoft cryptographic application programming interface (API). An API that enables application developers to add authentication, encoding, and encryption to Windows-based applications.

cryptographic hash function: A function that maps an input of any length to a short output bit string of fixed length, such that finding an input that maps to a particular bit string of the correct output length, or even finding two inputs that map to the same output bit string, is computationally infeasible. For more information, see [SCHNEIER] chapters 2 and 18.

cryptographic service provider (CSP): A software module that implements cryptographic functions for calling applications.

cryptographically generated address (CGA): An IPv6 address for which the interface identifiers (the low-order 64 bits) are generated by computing a cryptographic hash function on a public key. The corresponding private key can be used to sign messages sent from this IPv6 address. CGA is specified in [RFC3972].

Cryptography API: Next Generation (CNG): The second generation of the CryptoAPI and its long-term replacement. CNG allows the implementer to replace existing algorithm providers with the implementer's own providers and to add new algorithms as they become available. CNG also allows the same APIs to be used from user and kernel mode applications.

curly braced GUID string: The string representation of a 128-bit globally unique identifier (GUID) using the form {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, where X denotes a hexadecimal digit. The string representation between the enclosing braces is the standard representation of a GUID as defined in [RFC4122] section 3. Unlike a GUIDString, a curly braced GUID string includes enclosing braces.

CurrentRefreshTime: The current time, in units of days, measuring the time since the value was initialized.

Customer Experience Improvement Program (CEIP): A program in which participating systems send information to a software publisher about how they use certain products. Received CEIP data is combined to help the software publisher solve problems and to improve the products and features that customers use most often.

cut points: The locations in a file where remote differential compression (RDC) has determined boundary points between blocks, or chunks. The cut points for a particular file depend on the contents of the file and the parameters with which RDC is running.

cycle: A series of one or more replication responses associated with the same invocation ID, concluding with the return of a new update sequence number (USN) that defines the high water mark in which to begin the next replication cycle.

cyclic redundancy check (CRC): An algorithm used to produce a checksum (a small, fixed number of bits) against a block of data, such as a packet of network traffic or a block of a computer file. The CRC is used to detect errors after transmission or storage. A CRC is designed to catch random errors, as opposed to intentional errors. If errors might be introduced by a motivated and intelligent adversary, a cryptographic hash function should be used instead.

cylinder: The set of disk tracks that appear in the same location on each platter of a disk.