1.1 Glossary

  • Article

This document uses the following terms:

Active Directory domain: A domain hosted on Active Directory. For more information, see [MS-ADTS].

ASN.1: Abstract Syntax Notation One. ASN.1 is used to describe Kerberos datagrams as a sequence of components, sent in messages. ASN.1 is described in the following specifications: [ITUX660] for general procedures; [ITUX680] for syntax specification, and [ITUX690] for the Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER) encoding rules.

base64 encoding: A binary-to-text encoding scheme whereby an arbitrary sequence of bytes is converted to a sequence of printable ASCII characters, as described in [RFC4648].

certificate chain: A sequence of certificates, where each certificate in the sequence is signed by the subsequent certificate. The last certificate in the chain is normally a self-signed certificate.

certificate enrollment: The process of acquiring a digital certificate from a certificate authority (CA), which typically requires an end entity to first makes itself known to the CA (either directly, or through a registration authority). This certificate and its associated private key establish a trusted identity for an entity that is using the public key–based services and applications. Also referred to as simply "enrollment".

certification authority (CA): A third party that issues public key certificates. Certificates serve to bind public keys to a user identity. Each user and certification authority (CA) can decide whether to trust another user or CA for a specific purpose, and whether this trust should be transitive. For more information, see [RFC3280].

Cryptographic Application Programming Interface (CAPI): Also known as Windows Cryptographic Application Programming Interface, CryptoAPI, and Microsoft Cryptography API. An application programming interface (API) that allows developers who use the Windows operating system to secure Windows-based applications.

Cryptographic Application Programming Interface (CAPI) or CryptoAPI: The Microsoft cryptographic application programming interface (API). An API that enables application developers to add authentication, encoding, and encryption to Windows-based applications.

cryptographic service provider (CSP): A software module that implements cryptographic functions for calling applications that generates digital signatures. Multiple CSPs may be installed. A CSP is identified by a name represented by a NULL-terminated Unicode string.

Distinguished Encoding Rules (DER): A method for encoding a data object based on Basic Encoding Rules (BER) encoding but with additional constraints. DER is used to encode X.509 certificates that need to be digitally signed or to have their signatures verified.

enhanced key usage (EKU): An extension that is a collection of object identifiers (OIDs) that indicate the applications that use the key.

enroll: To request and acquire a digital certificate from a certificate authority (CA). This is typically accomplished through a certificate enrollment process.

extended key usage (EKU): An X.509 certificate extension that indicates one or more purposes for which the certificate can be used.

fully qualified domain name (FQDN): An unambiguous domain name that gives an absolute location in the Domain Name System's (DNS) hierarchy tree, as defined in [RFC1035] section 3.1 and [RFC2181] section 11.

health certificate: A digital certificate that is used to authenticate the health status of a Network Access Protection (NAP) client.

health certificate enrollment agent (HCEA): The client-side component in the Health Certificate Enrollment Protocol. The HCEA is responsible for receiving health certificates from a health registration authority (HRA). This term can also be used to refer to the client machine in the Health Certificate Enrollment Protocol.

health policy server: An entity in a network that has network policies administered on it and that is capable of validating a statement of health (SoH) against the specified policies.

health registration authority (HRA): The server-side component in the Health Certificate Enrollment Protocol. The HRA is a registration authority (RA) that requests a health certificate from a certification authority (CA) upon validation of health.

health state: An abstract notion of the state of a machine that is used to indicate its compliance with network policies. Some examples of such state would include the state of the firewall on the machine, the version of the virus signature files for an antivirus application, and so on.

HTTP Internal Server Error: An HTTP response with status code 500, as specified in [RFC2616] section 6.1.1.

HTTP OK: An HTTP response with status code 200, as described in [RFC2616] section 6.1.1.

Hypertext Transfer Protocol (HTTP): An application-level protocol for distributed, collaborative, hypermedia information systems (text, graphic images, sound, video, and other multimedia files) on the World Wide Web.

Hypertext Transfer Protocol Secure (HTTPS): An extension of HTTP that securely encrypts and decrypts web page requests. In some older protocols, "Hypertext Transfer Protocol over Secure Sockets Layer" is still used (Secure Sockets Layer has been deprecated). For more information, see [SSL3] and [RFC5246].

Internet Protocol security (IPsec): A framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

NAP EC API: Provides a set of function calls that allow NAP enforcement clients to register with the NAP agent, to request system health status, and to pass system health remediation information to the NAP agent. The NAP EC API allows vendors to create and install additional NAP ECs. For more information about this API, see [MSDN-NAPAPI].

object identifier (OID): In the context of an object server, a 64-bit number that uniquely identifies an object.

Public Key Cryptography Standards (PKCS): A group of Public Key Cryptography Standards published by RSA Laboratories.

Remote Authentication Dial-In User Service (RADIUS): A protocol for carrying authentication, authorization, and configuration information between a network access server (NAS) that prefers to authenticate connection requests from endpoints and a shared server that performs authentication, authorization, and accounting.

Rivest-Shamir-Adleman (RSA): A system for public key cryptography. RSA is specified in [PKCS1] and [RFC3447].

statement of health (SoH): A collection of data generated by a system health entity, as specified in [TNC-IF-TNCCSPBSoH], which defines the health state of a machine. The data is interpreted by a Health Policy Server, which determines whether the machine is healthy or unhealthy according to the policies defined by an administrator.

statement of health response (SoHR): A collection of data that represents the evaluation of the statement of health (SoH) according to network policies, as specified in [TNC-IF-TNCCSPBSoH].

system health entity: See system health agent (SHA).

Uniform Resource Locator (URL): A string of characters in a standardized format that identifies a document or resource on the World Wide Web. The format is as specified in [RFC1738].

user agent: An HTTP user agent, as specified in [RFC2616].

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.