Internet Security Glossary, Version 2

$ X.400

(N) An ITU-T Recommendation [X400] that is one part of a joint ITU-T/ISO multi-part standard (X.400-X.421) that defines the Message Handling Systems. (The ISO equivalent is IS 10021, parts 1-7.) (See: Message Handling Systems.)

$ X.500

(N) An ITU-T Recommendation [X500] that is one part of a joint ITU-T/ISO multi-part standard (X.500-X.525) that defines the X.500 Directory, a conceptual collection of systems that provide distributed directory capabilities for OSI entities, processes, applications, and services. (The ISO equivalent is IS 9594-1 and related standards, IS 9594-x.) (See: directory vs. Directory, X.509.)

Tutorial: The X.500 Directory is structured as a tree (the Directory Information Tree), and information is stored in directory entries. Each entry is a collection of information about one object, and each object has a DN. A directory entry is composed of attributes, each with a type and one or more values. For example, if a PKI uses the Directory to distribute certificates, then the X.509 public-key certificate of an end user is normally stored as a value of an attribute of type "userCertificate" in the Directory entry that has the DN that is the subject of the certificate.

$ X.509

(N) An ITU-T Recommendation [X509] that defines a framework to provide and support data origin authentication and peer entity authentication, including formats for X.509 public-key certificates, X.509 attribute certificates, and X.509 CRLs. (The ISO equivalent is IS 9498-4.) (See: X.500.)

Tutorial: X.509 describes two "levels" of authentication: "simple authentication" and "strong authentication". It recommends, "While simple authentication offers some limited protection against unauthorized access, only strong authentication should be used as the basis for providing secure services."

$ X.509 attribute certificate

(N) An attribute certificate in the version 1 (v1) format defined by X.509. (The v1 designation for an X.509 attribute certificate is disjoint from the v1 designation for an X.509 public-key certificate, and from the v1 designation for an X.509 CRL.)

Tutorial: An X.509 attribute certificate has a "subject" field, but the attribute certificate is a separate data structure from that subject's public-key certificate. A subject may have multiple attribute certificates associated with each of its public-key certificates, and an attribute certificate may be issued by a different CA than the one that issued the associated public-key certificate.

An X.509 attribute certificate contains a sequence of data items and has a digital signature that is computed from that sequence. Besides the signature, an attribute certificate contains items 1 through 9 listed below:
      1. version                 Identifies v1.
      2. subject                 Is one of the following:
         2a. baseCertificateID   Issuer and serial number of an
                                 X.509 public-key certificate.
         2b. subjectName         DN of the subject.
      3. issuer                  DN of the issuer (the CA who signed).
      4. signature               OID of algorithm that signed the cert.
      5. serialNumber            Certificate serial number;
                                 an integer assigned by the issuer.
      6. attCertValidityPeriod   Validity period; a pair of UTCTime
                                 values: "not before" and "not after".
      7. attributes              Sequence of attributes describing the
                                 subject.
      8. issuerUniqueId          Optional, when a DN is not sufficient.
      9. extensions              Optional.
$ X.509 certificate

(N) Synonym for "X.509 public-key certificate".

Usage: IDOCs MAY use this term as an abbreviation of "X.509 public-key certificate", but only after using the full term at the first instance. Otherwise, the term is ambiguous, because X.509 specifies both public-key certificates and attribute certificates. (See: X.509 attribute certificate, X.509 public-key certificate.)

Deprecated Usage: IDOCs SHOULD NOT use this term as an abbreviation of "X.509 attribute certificate", because the term is much more commonly used to mean "X.509 public-key certificate" and, therefore, is likely to be misunderstood.

$ X.509 certificate revocation list (CRL)

(N) A CRL in one of the formats defined by X.509 -- version 1 (v1) or version 2 (v2). (The v1 and v2 designations for an X.509 CRL are disjoint from the v1 and v2 designations for an X.509 public- key certificate, and from the v1 designation for an X.509 attribute certificate.) (See: certificate revocation.)

Usage: IDOCs SHOULD NOT refer to an X.509 CRL as a digital certificate; however, note that an X.509 CRL does meet this Glossary's definition of "digital certificate". That is, like a digital certificate, an X.509 CRL makes an assertion and is signed by a CA. But instead of binding a key or other attributes to a subject, an X.509 CRL asserts that certain previously issued, X.509 certificates have been revoked.

Tutorial: An X.509 CRL contains a sequence of data items and has a digital signature computed on that sequence. Besides the signature, both v1 and v2 contain items 2 through 6b listed below. Version 2 contains item 1 and may optionally contain 6c and 7.
      1. version                 Optional. If present, identifies v2.
      2. signature               OID of the algorithm that signed CRL.
      3. issuer                  DN of the issuer (the CA who signed).
      4. thisUpdate              A UTCTime value.
      5. nextUpdate              A UTCTime value.
      6. revokedCertificates     3-tuples of 6a, 6b, and (optional) 6c:
         6a. userCertificate     A certificate's serial number.
         6b. revocationDate      UTCTime value for the revocation date.
         6c. crlEntryExtensions  Optional.
      7. crlExtensions           Optional.
$ X.509 public-key certificate

(N) A public-key certificate in one of the formats defined by X.509 -- version 1 (v1), version 2 (v2), or version 3 (v3). (The v1 and v2 designations for an X.509 public-key certificate are disjoint from the v1 and v2 designations for an X.509 CRL, and from the v1 designation for an X.509 attribute certificate.)

Tutorial: An X.509 public-key certificate contains a sequence of data items and has a digital signature computed on that sequence. Besides the signature, all three versions contain items 1 through 7 listed below. Only v2 and v3 certificates may also contain items 8 and 9, and only v3 may contain item 10.
      1. version                 Identifies v1, v2, or v3.
      2. serialNumber            Certificate serial number;
                                 an integer assigned by the issuer.
      3. signature               OID of algorithm that was used to
                                 sign the certificate.
      4. issuer                  DN of the issuer (the CA who signed).
      5. validity                Validity period; a pair of UTCTime
                                 values: "not before" and "not after".
      6. subject                 DN of entity who owns the public key.
      7. subjectPublicKeyInfo    Public key value and algorithm OID.
      8. issuerUniqueIdentifier  Defined for v2, v3; optional.
      9. subjectUniqueIdentifier Defined for v2, v2; optional.
      10. extensions             Defined only for v3; optional.
$ X9

(N) See: "Accredited Standards Committee X9" under "ANSI".

$ XML

(N) See: Extensible Markup Language.

$ XML-Signature.

(N) A W3C Recommendation (i.e., approved standard) that specifies XML syntax and processing rules for creating and representing digital signatures (based on asymmetric cryptography) that can be applied to any digital content (i.e., any data object) including other XML material.

W <- 4. Definitions -> Y