view release on metacpan or  search on metacpan

lib/Crypt/OpenSSL/CA/AlphabetSoup.pod  view on Meta::CPAN

=head1 NAME

B<Crypt::OpenSSL::CA::AlphabetSoup> - A L</PKIX> glossary

=head1 CONTENTS

=head2 ASN.1

Abstract Syntax Notation one, a kind of ``binary XML'' used throughout
the L</X.*> standards trail.  L<http://en.wikipedia.org/wiki/ASN.1>

=head2 C

See L</DN>

=head2 CA

Certification Authority, an RFC4210 concept that models the bunch of
software and hardware that creates X509 certificates (see
L<Crypt::OpenSSL::CA::Resources/STANDARDS>). Unfortunately, the term CA
is also used in other places, and in a very confusing fashion, to
designate either

=over

=item *

the set of the cryptographic credentials (key and CA certificate) that
the CA-as-a-computing-equipment needs to perform,

=item *

the whole security domain (more computers and programs) that it relies
on and operates for (which typically includes one or several L</RA>s),

=item *

the political domain (e.g. a company) that its signature vouches for;

=item *

or even the person that operates the CA, even though arguably there
should be no such person in a well-designed L</PKI>! (People operate
the RA, but the CA can and should be fully automatic.)

=back

=head2 CCITT

French name for L</ITU-T>

=head2 CN

See L</DN>

=head2 CRL

Certificate Revocation List, the software equivalent of a state-issued
list of stolen IDs.  This list is signed by the L</CA>, providing a
secure means to revoke a certificate.  See also L</OCSP>.

=head2 CSR

Certificate Signing Request, a would-be certificate signed by the
L</EE> (as opposed to a ``regular'' certificate which is signed by the
L</CA>).  There are two formats of CSR in use in L</PKIX> today,
L</SPKAC> (used by all browsers of the Netscape family) and
L</PKCS#10> (used by the rest of the world).

Concretely, a Certificate Signing Request is a file in a particular
format (typically L</ASN.1>) that contains the requestor's public key
and various other informations, all covered by the requestor's
signature.  To ensure B<proof of possesion>, some L</CA>'s require
that said signature also cover a randomly-generated I<challenge> that
the CA issues to the requestor; in this way, the CA guarantees that
all CSRs it is going to process are fresh, thereby preventing a
particular (and otherwise mostly harmless) kind of B<replay attack>.

=head2 DC

See L</DN>

=head2 DER

Distinguished Encoding Rules, also known as X690; one of the
standardized ways of encoding L</ASN.1> (meaning that yes, there are
several of them, and as a matter of fact some deployments of ASN.1
require the parties to I<negotiate the binary data format> that will