Identity Management Glossary

Computing at Cornell • CIT Contact Center (HelpDesk)

Glossary

authentication - process by which you prove your identity to another party, for example by showing photo ID to a bank teller or entering your password on a computer system

authorization - process of granting access to a service or information based on your role at the University, once you have authenticated

CUWebAuth - set of tools that Cornell web administrators use to require a Cornell NetID and password for access to certain restricted web resources

Kerberos - security system that protects access to personal, confidential information on computer networks. When you request access to Kerberos-protected private information, Kerberos verifies that you have entered the correct password for your Network ID (this process is called authentication), and then issues you an electronic ticket, which gives you admission to restricted services.

LDAP (Lightweight Directory Access Protocol) - set of protocols for accessing information in directories. LDAP makes it possible for almost any application running on virtually any computer platform to obtain directory information, such as e-mail addresses.

NetID (or Network ID) - personal, unique identifier assigned to you when you first come to Cornell. It consists of your initials followed by one or more numbers. You use it, along with a password, to obtain access to Cornell online services such as e-mail and administrative systems.

Permit Server - application developed at Cornell that controls who can access online services. A permit is a collection of NetIDs and is associated with a specific service or set of services. If your NetID is included in the permit, you will have access to the service, once you have authenticated with your NetID and password.

PGP (Pretty Good Privacy) - mechanism used world-wide for signing and encrypting e- mail. PGP relies on a web of trust among individuals, rather than a more formal, legally binding trust among institutions.

PKI (Public Key Infrastructure) - framework and services that provide for the generation, production, distribution, control, and accounting of public key certificates.

certificate - computer-generated record that ties the user's information with the user's public key in a trusted bond. At minimum, the certificate contains the identity of the issuing Certification Authority and the user, and the user's public key.

private key - key that is never shared and must be safeguarded by the owner. Signature generation requires a private key to generate a digital signature. Private keys cannot be used for signature verification.

public key - key that is assumed to be known to the public in general. Signature verification makes use of the public key. Anyone can verify the signature of a user by employing that user's public key, but the public key cannot be used for signature generation. Public keys are also used for encryption. Sending an encrypted message requires use of the recipient's public key for encryption.

security questions - key component of an online service that allows users to reset forgotten NetID passwords on their own. Users choose three different questions from a predetermined list and answer those questions. Users who correctly answer the three questions they selected earlier are authorized to set a new NetID password without knowing the existing password.

Shibboleth - initiative to develop an architecture and policy framework supporting the sharing of secured web resources and services across multiple institutions.

SideCar - program written at Cornell to extend Kerberos protection to online services that can't use CUWebAuth. SideCar is being phased out.