Glossary for letsencrypt.org/docs


#1

I created a Glossary for Let’s encrypt documentation and I would like your feedback: https://github.com/letsencrypt/website/pull/415

Ping @jsha because of https://github.com/letsencrypt/website/issues/380#issuecomment-427953056
Ping @DannyCarlton because of Should PKI, Web Certificates, Private Keys Be Simple To Explain?
Ping @david7364 because of Let's make Let's Encrypt easy and simple
Ping @georgeperez for spanish and @stevenzhu for chinese translation

If you are comfortable with GitHub, you can open PR’s for https://github.com/tdelmas/website/tree/glossary or directly comments the PR https://github.com/letsencrypt/website/pull/415 and use ```suggestion


Happy New Year! Looking back on the last year of accomplishments
#3

Since the last time, I’ve add information about OIDs, OCSP Must-Staple, CP and CPS.

I think the PR is ready to be merged exept if anybody have last-minute correction?

Here is a preview:

Last updated: December 30, 2018 | See all Documentation

Authority Information Access (AIA): A certificate property, used to indicate to web-clients how to obtains information about the issuer of the certificate. It may specify the OCSP URI (OID 1.3.6.1.5.5.7.48.1) or the Certificate Authority Issuer (OID 1.3.6.1.5.5.7.48.2). Let’s Encrypt certificates provide these information. OID 1.3.6.1.5.5.7.1.1

Automatic Certificate Management Environment (ACME): The protocol implemented by Let’s Encrypt. Softwares compatibles with that protocol can use it to communicate with Let’s Encrypt to ask for a certificate. ACME draft 16 - Wikipedia

ACME Client: A software capable to communicate with an ACME server to ask for a certificate.

ACME Server: An ACME-compatible server capable to generate certificates. Let’s Encrypt software, Boulder, is ACME-compatible. Boulder divergences from ACME

Boulder: The software implementing ACME, developed and used by Let’s Encrypt. GitHub

Canonical Name record (CNAME): A DNS entry which maps one domain name to another, referred to as the Canonical Name. Wikipedia

Certificate Authority (CA): An organization that issues certificates. Let’s Encrypt and IdenTrust are Certificate Authorities. Wikipedia

Certificate Authority Authorization (CAA): A DNS record that allows specifying which CAs are allowed to issue certificate for the corresponding domain. Let’s Encrypt does check and respects CAA records. https://letsencrypt.org/docs/caa/ - Wikipedia

Certification Authority Browser Forum: Also known as CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications. Let’s Encrypt is a member of the CA/Browser Forum. Wikipedia

Certificate Authority Issuer (CAI): Information about the issuer of the certificate. If may be useful when the web server didn’t provide a trusted certificate chain. OID 1.3.6.1.5.5.7.48.2

Certificate chain: To determine if a system trust a certificates, it must have a chain of trust ending on a root present on it’s certificate store. The chain is the list of intermediate leading to that root: the lead certificate is always signed by a intermediate (which can be signed by another intermediate and so on) with is sign by a root. Note: the path it not always unique, and when a website present a certificate chain leading to one root, the web client may decide to use another chain, ending in another root, to validate the certificate (This is especially important for Public Key Pinning). Wikipedia

Certificate Policy (CP): A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. ISRG Certificate Policy - RFC 3647 - Wikipedia

Certification Practice Statement (CPS): A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. ISRG Certification Practice Statement - RFC 3647 section 3.4 Wikipedia

Certificate Revocation List (CRL): A method to inform about the revocation status of a certificate. Wikipedia

Certificate Signing Request (CSR): A signed file containing the needed information required by the CA to generated a certificate. Relevant information for Let’s Encrypt are the Common Name and Subject Alternative Names. Wikipedia

Certificate Store: A certificate store contains the list of trusted roots. Operating systems (such as Windows, Android or Debian) and web browsers (such as Firefox) maintains a certificate store. Browsers without one rely on the one of the operation system. Certificates provided by Let’s Encrypt are trusted by those certificates stores: https://letsencrypt.org/certificates/.

Certificate Transparency (CT): To improve security, to be valid certificates (or precertificates) must be published in Certificate Transparency Logs: https://www.certificate-transparency.org/. Let’s Encrypt generate and publish a precertificates and include in the definitive certificates the proof of publication. Wikipedia

Common name (CN): An attribute of a certificate. For roots and intermediates it’s the name of the certificate. For leaf certificate it’s one of the Subject Alternative Name of the certificate. Note: The common name is limited to 63 characters. OID 2.5.4.3

Cross Signing: An intermediate certificate may be signed by more than one root. For example, Let’s Encrypt intermediates are cross signed by IdenTrust, initially because the Let’s Encrypt root was not yet trusted by certificate stores. Technically, it’s two intermediates, using the same Common Name and the same Key-pair, one signed by the private key of a Let’s Encrypt root and the other signed by the private key of the IdenTrust’s root: https://letsencrypt.org/certificates/. Wikipedia

Delegation Name record (DNAME): A DNS record that creates an alias for an entire subtree of the domain name tree. In contrast, the CNAME record creates an alias for a single name and not its subdomains. Wikipedia

Digital Signature Algorithm (DSA): The algorithm used to sign certificates. Wikipedia

DNS - based Authentication of Named Entities (DANE): A mechanism using DNS to indicate how to verity the authenticity of the certificate presented. Wikipedia

Domain Name System Security Extensions (DANE): A mechanism to authenticate DNS response. Wikipedia

Domain-validated certificate: Certificates where the applicant have only proven the control over the domain (and not it’s identity, unlike OV and EV certificates ). Let’s Encrypt offers only DV certificates (not OV nor EV ): FAQ. OID 2.23.140.1.2.1 and 1.3.6.1.4.1.44947.1.1.1 - Wikipedia

ECC certificates: Certificates using an Elliptic Curve Key-pair.

Edwards-curve Digital Signature Algorithm (EdDSA): A digital signature scheme using a variant of Schnorr signature based on Twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. Let’s Encrypt doesn’t provide EdDSA certificates. Wikipedia

Elliptic Curve Cryptography (ECC): An approach to public-key cryptography based on elliptic curves. ECC requires smaller keys compared to non-EC cryptography to provide equivalent security. Wikipedia

Elliptic Curve Digital Signature Algorithm (ECDSA): A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. Wikipedia. Let’s Encrypt supports ECDSA for end-user certificates but not yet for the chain: https://letsencrypt.org/upcoming-features/

Extended Validation (EV): Certificates for which the CA has verified the legal entity controlling the website. They contains information about that entity. Controls from the CA are more stricts than for OV certificates. Let’s Encrypt doesn’t offer EV certificates. Wikipedia

Fully qualified domain name (FQDN): The complete domain name of a website. For example, www.example.org is a FQDN , .org is its TLD and example.com the public suffix. Wikipedia

IdenTrust: A Certificate Authority. IdenTrust has cross-signed Let’s Encrypt intermediates: https://letsencrypt.org/certificates/. Wikipedia

Intermediate certificate: A certificate, signed by the private key of a root or another intermediate. It’s private key is used to sign intermediates or leaf certificates. They are used to allow the signature of leaf certificates while keeping the private key of root certificate to be kept offline. They allow cross signing too. Wikipedia

Internationalized Domain Names for Applications (IDNA): See internationalized domain name. RFC 5890 - RFC 5891

internationalized Domain Name (IDN): Domains with characters others than a to z , 0 to 9 and - . They can for example contain Arabic, Chinese, Cyrillic, Tamil, Hebrew or the Latin alphabet-based characters with diacritics or ligatures. The encoded representation of an IDN domains starts with xn-- . IDN is supported by Let’s Encrypt: https://letsencrypt.org/2016/10/21/introducing-idn-support.html. Wikipedia

Internet Security Research Group (ISRG): The organization behind Let’s Encrypt: https://www.abetterinternet.org/about/. Wikipedia

Key-pair: The couple private-key / public-key used to sign or encrypt. The public key is used to encrypt or verify the signature. The private key is used to decrypt data (encrypt by the public key) or signed data. Wikipedia

Leaf certificate (end-user certificate): A certificate signed by a trusted intermediate, valid for a set of domains. Wikipedia

Let’s Encrypt (LE): The Certificate Authority controlled by ISRG. Wikipedia

Mixed content: When a webpage using https loads sub-resources (such as Javascript, CSS or images) using http, browsers may remove the secure indication, or display an insecure logo: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

OCSP Must-Staple: Is the certificate property OID 1.3.6.1.5.5.7.1.24, informing the web client that the web server must use OCSP stapple. It’s used to ensure that the revocation status of the certificate is checked. Let’s Encrypt can provide certificate with the OCSP Must-Staple property. Mozilla Security Blog

OCSP stapling: also known as TLS Certificate Status Request extension , is a way for a Web server to send to the Web client to send an OCSP response signed by the Certificate Authority, so the Web client doesn’t needs to contact the CA to check the validity of the certificate, improving speed and privacy. Wikipedia

Object identifiers (OID): Hierarchical identifiers standardized by the International Telecommunications Union (ITU) and ISO/IEC. Certificate policy and Certification Practice Statement define OIDs usage by Certificate Authorities. Wikipedia

Online Certificate Status Protocol (OCSP): A method to check the Revocation of a certificate. Wikipedia

Organization Validation (OV): Certificates for which the CA has verified the legal entity controlling the website. They contain information about that entity. Let’s Encrypt doesn’t offer OV certificates. OID 2.23.140.1.2.2 - Wikipedia

Personal Information Exchange Files (.pfx): A file that may contain a leaf certificate, its chain up to the root and the private key of the leaf. See also https://en.wikipedia.org/wiki/PKCS_12. Microsoft Hardware Dev Center

Precertificate: Precertificates are certificates identical to the final certificate with an additional critical poison extension. They are used for certificate transparency. RFC 6962 Section 3.1

Public Key Cryptographic Standards (PKCS): A group of public-key cryptography standards devised and published by RSA Security. Wikipedia

Public Key Infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. Wikipedia

Public Key Pinning (PKP): A security mechanism consisting to pin the private key (or certificate). The pinned one can be the leaf, an intermediate of the chain or the root. That mechanism must be handled very carefully because it may prevent even the owner of the website to use a valid certificate. Wikipedia

Public Suffix List (PSL): A list of Public Suffix maintained by Mozilla. Let’s Encrypt use that list for rate-limits: https://letsencrypt.org/docs/rate-limits/. https://publicsuffix.org/

Revocation: A certificate is valid until its expiration date, expect if the CA says it’s been revoked. The certificate may be revoked for various reasons such as the compromising of the private key. Browsers can check if a certificate is revoked using CRL or OCSP but Let’s Encrypt only supports the OCSP method. https://letsencrypt.org/docs/revoking/

Root certificate: A self-signed certificate, controlled by a certificate authority, used to signed its intermediates certificates and included in certificates stores. Wikipedia

RSA: A public-key algorithm used to signed certificates. Wikipedia

Self-signed certificate: A certificate signed by its own private key. Root certificates are self-signed. Wikipedia

Server Name Indication (SNI): When connecting to a web server, a client may specify during the TLS handshake which domain it wants to connect to, in order for the server to answer with the appropriate certificate when multiple domains are hosted behind the same IP. SNI is not encrypted, but it’s successor, ESNI, is. Wikipedia

Signed Certificate Timestamp (SCT): A proof of publication of a certificate, signed by a Certificate Transparency log. The proof of the publication of a precertificate may be included in the corresponding final certificate. Let’s Encrypt certificates do include the required SCTs. https://www.certificate-transparency.org/how-ct-works

Staging: Let’s Encrypt provide a staging API to test the certificate request without impacting rates-limits. Certificates generated by the staging environment are not publicly trusted. https://letsencrypt.org/docs/staging-environment/

Subject Alternative Name (SAN): That field of a certificate is used to indicate for which domain(s) that certificate is valid. It replaces the usage of the Common Name, only now provided for compatibility reasons. SAN 2.5.29.17 (RFC 5280) - Wikipedia

Top-Level Domain (TLD): Highest level in the hierarchical Domain Name System, such as country-code top-level domains (ccTLD) for example .de (Germany), .cn (China) and generic top-level domains (gTLD) for example .com , .org . Wikipedia

Unified Communications Certificate (UCC): See Subject Alternative Name (SAN)

Web browser: A web client used to displays web pages. Example: Mozilla Firefox , Google Chrome or Internet Explorer . Wikipedia

Web client: Software capable to communicate with a Web server. Example: a web Browser or cURL.

Web server: Software serving web pages (or by extension, the hardware server hosting it). Wikipedia

Wildcard Certificates: Certificates valid for any subdomains (but for only one level): a certificate containing a SAN for *.example.com is valid for anything.example.com (but not for something.anything.example.com nor example.com ). Let’s Encrypt does provide Wildcards certificates. Wikipedia

X.509: The standard defining the format of public key certificates. Wikipedia


#4

#5

Hi @tdelmas

this is an amazing list.

One small thing:

is DNSSEC, DANE is defined one row earlier.


#6

Thanks!

Thank you :slightly_smiling_face:


#7

Hi @tdelmas, thank you very much for doing this work!

I did some proofreading and editing. Here’s a diff (sorry for the loss of formatting information—I should really have thought about this before I started editing this in plain text :frowning:).

--- orig	2018-12-31 18:50:23.016451979 -0800
+++ new	2018-12-31 18:49:37.905022957 -0800
@@ -1,10 +1,10 @@
-Authority Information Access (AIA): A certificate property, used to indicate to web-clients how to obtains information about the issuer of the certificate. It may specify the OCSP URI (OID 1.3.6.1.5.5.7.48.1) or the Certificate Authority Issuer (OID 1.3.6.1.5.5.7.48.2). Let’s Encrypt certificates provide these information. OID 1.3.6.1.5.5.7.1.1
+Authority Information Access (AIA): A certificate property, used to indicate to web-clients how to obtain information about the issuer of the certificate. It may specify the OCSP URI (OID 1.3.6.1.5.5.7.48.1) or the Certificate Authority Issuer (OID 1.3.6.1.5.5.7.48.2). Let’s Encrypt certificates provide these information. OID 1.3.6.1.5.5.7.1.1
 
-Automatic Certificate Management Environment (ACME): The protocol implemented by Let’s Encrypt. Softwares compatibles with that protocol can use it to communicate with Let’s Encrypt to ask for a certificate. ACME draft 16 - Wikipedia
+Automatic Certificate Management Environment (ACME): The protocol implemented by Let’s Encrypt. Software compatible with that protocol can use it to communicate with Let’s Encrypt to ask for a certificate. ACME draft 16 - Wikipedia
 
-ACME Client: A software capable to communicate with an ACME server to ask for a certificate.
+ACME Client: A program capable of communicating with an ACME server to ask for a certificate.
 
-ACME Server: An ACME-compatible server capable to generate certificates. Let’s Encrypt software, Boulder, is ACME-compatible. Boulder divergences from ACME
+ACME Server: An ACME-compatible server capable of generating certificates. Let’s Encrypt software, Boulder, is ACME-compatible. Boulder divergences from ACME
 
 Boulder: The software implementing ACME, developed and used by Let’s Encrypt. GitHub
 
@@ -14,37 +14,35 @@
 
 Certificate Authority Authorization (CAA): A DNS record that allows specifying which CAs are allowed to issue certificate for the corresponding domain. Let’s Encrypt does check and respects CAA records. https://letsencrypt.org/docs/caa/ - Wikipedia
 
-Certification Authority Browser Forum: Also known as CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications. Let’s Encrypt is a member of the CA/Browser Forum. Wikipedia
+Certificate Authority/Browser Forum: Also known as CA/Browser Forum, is a voluntary consortium of certificate authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications. This forum creates rules governing the issuance of certificates. Let’s Encrypt is a member of the CA/Browser Forum. Wikipedia
 
-Certificate Authority Issuer (CAI): Information about the issuer of the certificate. If may be useful when the web server didn’t provide a trusted certificate chain. OID 1.3.6.1.5.5.7.48.2
+Certificate Authority Issuer (CAI): Information about the issuer of the certificate. It may be useful when the web server didn’t provide a trusted certificate chain. OID 1.3.6.1.5.5.7.48.2
 
-Certificate chain: To determine if a system trust a certificates, it must have a chain of trust ending on a root present on it’s certificate store. The chain is the list of intermediate leading to that root: the lead certificate is always signed by a intermediate (which can be signed by another intermediate and so on) with is sign by a root. Note: the path it not always unique, and when a website present a certificate chain leading to one root, the web client may decide to use another chain, ending in another root, to validate the certificate (This is especially important for Public Key Pinning). Wikipedia
+Certificate chain: To determine that a system can trust a certificate, it must have a chain of trust ending on a root present on its certificate store. The chain is the list of intermediate certificates leading to that root: the lead certificate is always signed by a intermediate (which can be signed by another intermediate and so on) which is signed by a root. Note: the path is not always unique, and when a website presents a certificate chain leading to one root, the web client may decide to use another chain, ending in another root, to validate the certificate. (This is especially important for Public Key Pinning.) Wikipedia
 
-Certificate Policy (CP): A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. ISRG Certificate Policy - RFC 3647 - Wikipedia
+Certificate Policy (CP): A named set of rules that indicates the applicability of a certificate to a particular community and/or class of applications with common security requirements. ISRG Certificate Policy - RFC 3647 - Wikipedia
 
 Certification Practice Statement (CPS): A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. ISRG Certification Practice Statement - RFC 3647 section 3.4 Wikipedia
 
-Certificate Revocation List (CRL): A method to inform about the revocation status of a certificate. Wikipedia
+Certificate Revocation List (CRL): A method to inform browsers about the revocation status of a certificate. Wikipedia
 
-Certificate Signing Request (CSR): A signed file containing the needed information required by the CA to generated a certificate. Relevant information for Let’s Encrypt are the Common Name and Subject Alternative Names. Wikipedia
+Certificate Signing Request (CSR): A signed file containing the needed information required by the CA to generated a certificate. Relevant information for Let’s Encrypt are the Common Name, Subject Alternative Names, and Subject Public Key Info. Usually, client applications automatically generate the CSR for the user, although a web hosting provider or device might also generate a CSR. Wikipedia
 
-Certificate Store: A certificate store contains the list of trusted roots. Operating systems (such as Windows, Android or Debian) and web browsers (such as Firefox) maintains a certificate store. Browsers without one rely on the one of the operation system. Certificates provided by Let’s Encrypt are trusted by those certificates stores: https://letsencrypt.org/certificates/.
+Certificate Store: A certificate store contains the list of trusted roots. Operating systems (such as Windows, Android or Debian) and web browsers (such as Firefox) maintain a certificate store. Browsers without one rely on the one of the operating system. Certificates provided by Let’s Encrypt are currently trusted by most certificate stores, as described here: https://letsencrypt.org/certificates/.
 
-Certificate Transparency (CT): To improve security, to be valid certificates (or precertificates) must be published in Certificate Transparency Logs: https://www.certificate-transparency.org/. Let’s Encrypt generate and publish a precertificates and include in the definitive certificates the proof of publication. Wikipedia
+Certificate Transparency (CT): To improve security, certificates (or precertificates, which list the exact information in a certificate that an authority intends to issue) must be published in Certificate Transparency logs: https://www.certificate-transparency.org/. Let’s Encrypt generates and publishes a precertificate, and includes in the subsequent definitive certificate the cryptographic proof of publication for the precertificate. Some software, such as Google Chrome, insists on the presence of this proof in order for a certificate to be valid. Wikipedia
 
-Common name (CN): An attribute of a certificate. For roots and intermediates it’s the name of the certificate. For leaf certificate it’s one of the Subject Alternative Name of the certificate. Note: The common name is limited to 63 characters. OID 2.5.4.3
+Common Name (CN): An attribute of a certificate, describing what the certificate is about. For roots and intermediates, it’s the human-readable name of the certificate authority. For leaf certificates, it’s one of the Subject Alternative Names of the certificate. Note: The common name is limited to 63 characters. It is an obsolete method of indicating a domain name to which the certificate applies, since current Internet standards expect software to check only the Subject Alternative Names in order to determine the applicability of a certificate. OID 2.5.4.3
 
-Cross Signing: An intermediate certificate may be signed by more than one root. For example, Let’s Encrypt intermediates are cross signed by IdenTrust, initially because the Let’s Encrypt root was not yet trusted by certificate stores. Technically, it’s two intermediates, using the same Common Name and the same Key-pair, one signed by the private key of a Let’s Encrypt root and the other signed by the private key of the IdenTrust’s root: https://letsencrypt.org/certificates/. Wikipedia
+Cross-Signing: An intermediate certificate may be signed by more than one root. For example, Let’s Encrypt intermediates are cross-signed by IdenTrust, initially because the Let’s Encrypt root was not yet trusted by certificate stores. Technically, it’s achieved with two intermediates, using the same Common Name and the same Key-pair, one signed by the private key of a Let’s Encrypt root and the other signed by the private key of an IdenTrust root: https://letsencrypt.org/certificates/. Wikipedia
 
 Delegation Name record (DNAME): A DNS record that creates an alias for an entire subtree of the domain name tree. In contrast, the CNAME record creates an alias for a single name and not its subdomains. Wikipedia
 
-Digital Signature Algorithm (DSA): The algorithm used to sign certificates. Wikipedia
+DNS-based Authentication of Named Entities (DANE): A mechanism using DNS to indicate how to verity the authenticity of the certificate or encryption key presented. Wikipedia
 
-DNS - based Authentication of Named Entities (DANE): A mechanism using DNS to indicate how to verity the authenticity of the certificate presented. Wikipedia
+Domain Name System Security Extensions (DNSSEC): A mechanism to cryptographically authenticate DNS records. Wikipedia
 
-Domain Name System Security Extensions (DANE): A mechanism to authenticate DNS response. Wikipedia
-
-Domain-validated certificate: Certificates where the applicant have only proven the control over the domain (and not it’s identity, unlike OV and EV certificates ). Let’s Encrypt offers only DV certificates (not OV nor EV ): FAQ. OID 2.23.140.1.2.1 and 1.3.6.1.4.1.44947.1.1.1 - Wikipedia
+Domain-validated certificate: Certificates where the applicant has only proven its control over the domain (and not its identity, unlike OV and EV certificates). Let’s Encrypt offers only DV certificates (not OV or EV): FAQ. OID 2.23.140.1.2.1 and 1.3.6.1.4.1.44947.1.1.1 - Wikipedia
 
 ECC certificates: Certificates using an Elliptic Curve Key-pair.
 
@@ -52,78 +50,80 @@
 
 Elliptic Curve Cryptography (ECC): An approach to public-key cryptography based on elliptic curves. ECC requires smaller keys compared to non-EC cryptography to provide equivalent security. Wikipedia
 
-Elliptic Curve Digital Signature Algorithm (ECDSA): A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. Wikipedia. Let’s Encrypt supports ECDSA for end-user certificates but not yet for the chain: https://letsencrypt.org/upcoming-features/
+Elliptic Curve Digital Signature Algorithm (ECDSA): A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. Wikipedia. Let’s Encrypt supports ECDSA for end-user certificates, but not yet for the entire chain: https://letsencrypt.org/upcoming-features/
 
-Extended Validation (EV): Certificates for which the CA has verified the legal entity controlling the website. They contains information about that entity. Controls from the CA are more stricts than for OV certificates. Let’s Encrypt doesn’t offer EV certificates. Wikipedia
+Extended Validation (EV): Certificates for which the CA has verified the legal entity controlling the website. They contain information about that entity. Controls from the CA are more strict than for OV certificates. Let’s Encrypt doesn’t offer EV certificates. Wikipedia
 
-Fully qualified domain name (FQDN): The complete domain name of a website. For example, www.example.org is a FQDN , .org is its TLD and example.com the public suffix. Wikipedia
+Fully qualified domain name (FQDN): The complete domain name of a website. For example, www.example.org is a FQDN, .org is its TLD and example.com the public suffix. Wikipedia
 
-IdenTrust: A Certificate Authority. IdenTrust has cross-signed Let’s Encrypt intermediates: https://letsencrypt.org/certificates/. Wikipedia
+IdenTrust: A Certificate Authority. IdenTrust has cross-signed Let’s Encrypt intermediate cerificates: https://letsencrypt.org/certificates/. Wikipedia
 
-Intermediate certificate: A certificate, signed by the private key of a root or another intermediate. It’s private key is used to sign intermediates or leaf certificates. They are used to allow the signature of leaf certificates while keeping the private key of root certificate to be kept offline. They allow cross signing too. Wikipedia
+Intermediate certificate: A certificate, signed by the private key of a root or another intermediate. Its private key is used to sign intermediates or leaf certificates. They are used to allow the signature of leaf certificates while keeping the private key of root certificate to be kept offline. They also allow cross-signing. For a valid configuration, sites should send a complete certificate chain including all applicable intermediate certificates and the leaf certificate. (For Let’s Encrypt, this means that the certificate chain sent by the server will include one intermediate certificate and one leaf certificate, together sometimes called a full chain.) Wikipedia
 
 Internationalized Domain Names for Applications (IDNA): See internationalized domain name. RFC 5890 - RFC 5891
 
-internationalized Domain Name (IDN): Domains with characters others than a to z , 0 to 9 and - . They can for example contain Arabic, Chinese, Cyrillic, Tamil, Hebrew or the Latin alphabet-based characters with diacritics or ligatures. The encoded representation of an IDN domains starts with xn-- . IDN is supported by Let’s Encrypt: https://letsencrypt.org/2016/10/21/introducing-idn-support.html. Wikipedia
+internationalized Domain Name (IDN): Domains with characters other than a to z, 0 to 9, and the hyphen (-). They can for example contain Arabic, Chinese, Cyrillic, Tamil, Hebrew or the Latin alphabet-based characters with diacritics or ligatures. The encoded representation of an IDN domains starts with xn--. IDN is supported by Let’s Encrypt: https://letsencrypt.org/2016/10/21/introducing-idn-support.html. Certificates should be requested with the encoded xn-- form rather than with the international form, although some client applications may perform this translation automatically. Wikipedia
 
 Internet Security Research Group (ISRG): The organization behind Let’s Encrypt: https://www.abetterinternet.org/about/. Wikipedia
 
-Key-pair: The couple private-key / public-key used to sign or encrypt. The public key is used to encrypt or verify the signature. The private key is used to decrypt data (encrypt by the public key) or signed data. Wikipedia
+Key pair: The combination of the private key and public key used to sign or encrypt. The public key is used to encrypt or verify the signature. The private key is used to decrypt data (encrypted by the public key) or sign data. Wikipedia
 
 Leaf certificate (end-user certificate): A certificate signed by a trusted intermediate, valid for a set of domains. Wikipedia
 
 Let’s Encrypt (LE): The Certificate Authority controlled by ISRG. Wikipedia
 
-Mixed content: When a webpage using https loads sub-resources (such as Javascript, CSS or images) using http, browsers may remove the secure indication, or display an insecure logo: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
+Mixed content: When a webpage using HTTPS loads sub-resources (such as Javascript, CSS, or images) using HTTP, browsers may remove the secure indication, or display an insecure logo: https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content. To fix the mixed content problem, all of the references to resources within the page should be changed to use HTTPS URLs.
+
+OCSP Must-Staple: Is the certificate property OID 1.3.6.1.5.5.7.1.24, informing the web client that the web server must use OCSP stapling. It’s used to ensure that a recent up-to-date revocation status of the certificate is confirmed by the web server on every connection. Let’s Encrypt can issue certificates with the OCSP Must-Staple property upon request. Mozilla Security Blog
 
-OCSP Must-Staple: Is the certificate property OID 1.3.6.1.5.5.7.1.24, informing the web client that the web server must use OCSP stapple. It’s used to ensure that the revocation status of the certificate is checked. Let’s Encrypt can provide certificate with the OCSP Must-Staple property. Mozilla Security Blog
+OCSP stapling: also known as TLS Certificate Status Request extension, OCSP stapling is a way for a Web server to automatically send to the Web client an up-to-date OCSP response signed by the Certificate Authority, so the Web client itself doesn’t need to contact the CA to check the continued validity of the certificate, improving speed and privacy. Wikipedia
 
-OCSP stapling: also known as TLS Certificate Status Request extension , is a way for a Web server to send to the Web client to send an OCSP response signed by the Certificate Authority, so the Web client doesn’t needs to contact the CA to check the validity of the certificate, improving speed and privacy. Wikipedia
+Object identifiers (OID): Hierarchical numeric identifiers standardized by the International Telecommunications Union (ITU) and ISO/IEC. OIDs are used within certificates to refer to particular kinds of objects or policy assertions. Internet standards and Certificate Policy and Certification Practice Statement documents define OID usage by Certificate Authorities. Wikipedia
 
-Object identifiers (OID): Hierarchical identifiers standardized by the International Telecommunications Union (ITU) and ISO/IEC. Certificate policy and Certification Practice Statement define OIDs usage by Certificate Authorities. Wikipedia
+Online Certificate Status Protocol (OCSP): A method to check the revocation status of a certificate (that is, to check whether or not a certificate authority indicates that the certificate should no longer be considered valid, even though its expiration date has not yet been reached). This request can create privacy problems because it allows the certificate authority, and Internet service providers, to directly observe who is visiting which site when. Wikipedia
 
-Online Certificate Status Protocol (OCSP): A method to check the Revocation of a certificate. Wikipedia
+Organization Validation (OV): Certificates for which the CA has at least minimally confirmed the legal entity controlling the website. They contain information about that entity. Let’s Encrypt doesn’t offer OV certificates. OID 2.23.140.1.2.2 - Wikipedia
 
-Organization Validation (OV): Certificates for which the CA has verified the legal entity controlling the website. They contain information about that entity. Let’s Encrypt doesn’t offer OV certificates. OID 2.23.140.1.2.2 - Wikipedia
+PEM file (.pem): A format for cryptographic information (originally specified as part of the Privacy Enhanced Mail Internet standards for secure email). A PEM document can represent information such as a private key, a public key, or a digital certificate.
 
 Personal Information Exchange Files (.pfx): A file that may contain a leaf certificate, its chain up to the root and the private key of the leaf. See also https://en.wikipedia.org/wiki/PKCS_12. Microsoft Hardware Dev Center
 
-Precertificate: Precertificates are certificates identical to the final certificate with an additional critical poison extension. They are used for certificate transparency. RFC 6962 Section 3.1
+Precertificate: Precertificates are certificates identical to the final certificate with an additional critical poison extension which prevents the precertificate from being accepted by software in the wild. They indicate that a certificate authority intends to issue a certificate with particular contents, and are used for Certificate Transparency. As a result, Certificate Transparency logs may end up logging both the precertificate and the subsequently issued certificate for a particular request. RFC 6962 Section 3.1
 
-Public Key Cryptographic Standards (PKCS): A group of public-key cryptography standards devised and published by RSA Security. Wikipedia
+Public Key Cryptographic Standards (PKCS): A group of public-key cryptography standards devised and published by RSA Security. These include means of representing various cryptographic objects used within a public-key infrastructure. Wikipedia
 
-Public Key Infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. Wikipedia
+Public Key Infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. The Web PKI is the overall infrastructure that allows public certificate authorities to issue digital certificates that can be accepted automatically by web browsers. Wikipedia
 
-Public Key Pinning (PKP): A security mechanism consisting to pin the private key (or certificate). The pinned one can be the leaf, an intermediate of the chain or the root. That mechanism must be handled very carefully because it may prevent even the owner of the website to use a valid certificate. Wikipedia
+Public Key Pinning (PKP): A security mechanism consisting to pin the private key (or certificate). The pinned item can be the leaf, an intermediate in the chain, or the root. That mechanism must be handled very carefully because a mistake may prevent even the owner of the website from using even a legitimate certificate. Wikipedia
 
-Public Suffix List (PSL): A list of Public Suffix maintained by Mozilla. Let’s Encrypt use that list for rate-limits: https://letsencrypt.org/docs/rate-limits/. https://publicsuffix.org/
+Public Suffix List (PSL): A list of Public Suffixes maintained by Mozilla, indicating which Internet domains are available for many separate entities to register subdomains. Web browsers use the list, among other things, for preventing sites that are likely operated by different entities from sharing web cookies with one another. Let’s Encrypt also uses the list for rate-limit calculations: https://letsencrypt.org/docs/rate-limits/. https://publicsuffix.org/
 
-Revocation: A certificate is valid until its expiration date, expect if the CA says it’s been revoked. The certificate may be revoked for various reasons such as the compromising of the private key. Browsers can check if a certificate is revoked using CRL or OCSP but Let’s Encrypt only supports the OCSP method. https://letsencrypt.org/docs/revoking/
+Revocation: A certificate is valid until its expiration date, expect if the CA says it’s been revoked. The certificate may be revoked for various reasons such as the compromise of the private key. Browsers can check if a certificate is revoked using CRL or OCSP, but Let’s Encrypt only supports the OCSP method. https://letsencrypt.org/docs/revoking/
 
-Root certificate: A self-signed certificate, controlled by a certificate authority, used to signed its intermediates certificates and included in certificates stores. Wikipedia
+Root certificate: A self-signed certificate, controlled by a certificate authority, used to sign its intermediate certificates and included in certificate stores. Wikipedia
 
-RSA: A public-key algorithm used to signed certificates. Wikipedia
+RSA: A public-key algorithm used for encryption and to digitally sign certificates. Wikipedia
 
-Self-signed certificate: A certificate signed by its own private key. Root certificates are self-signed. Wikipedia
+Self-signed certificate: A certificate signed by its own private key, and therefore trusted only due to prior arrangements made in the physical world, such as inclusion on a trusted root list. Root certificates are self-signed. Wikipedia
 
-Server Name Indication (SNI): When connecting to a web server, a client may specify during the TLS handshake which domain it wants to connect to, in order for the server to answer with the appropriate certificate when multiple domains are hosted behind the same IP. SNI is not encrypted, but it’s successor, ESNI, is. Wikipedia
+Server Name Indication (SNI): When connecting to a web server, a client may specify during the TLS handshake which domain it wants to connect to, in order for the server to answer with the appropriate certificate when multiple domains are hosted behind the same IP. The web server might send a different certificate, and show different content, depending on the name that the client requested by SNI. SNI is not encrypted, but its successor, ESNI, is. Wikipedia
 
-Signed Certificate Timestamp (SCT): A proof of publication of a certificate, signed by a Certificate Transparency log. The proof of the publication of a precertificate may be included in the corresponding final certificate. Let’s Encrypt certificates do include the required SCTs. https://www.certificate-transparency.org/how-ct-works
+Signed Certificate Timestamp (SCT): A proof of publication of a certificate, signed by a Certificate Transparency log. The proof of the publication of a precertificate may be included in the corresponding final certificate. Let’s Encrypt certificates do include the required SCTs. This allows a web browser to confirm that Let’s Encrypt has already published the certificate publicly, which prevents a fraudulent or inaccurate certificate from avoiding detection by being shown only to a small group of Internet users. https://www.certificate-transparency.org/how-ct-works
 
-Staging: Let’s Encrypt provide a staging API to test the certificate request without impacting rates-limits. Certificates generated by the staging environment are not publicly trusted. https://letsencrypt.org/docs/staging-environment/
+Staging: Let’s Encrypt provides a staging API to test certificate requests without impacting rate limits. Certificates generated by the staging environment are not publicly trusted. The staging environment should be used for testing, debugging, and ACME client development purposes. https://letsencrypt.org/docs/staging-environment/
 
-Subject Alternative Name (SAN): That field of a certificate is used to indicate for which domain(s) that certificate is valid. It replaces the usage of the Common Name, only now provided for compatibility reasons. SAN 2.5.29.17 (RFC 5280) - Wikipedia
+Subject Alternative Name (SAN): This field of a certificate is used to indicate for which domain(s) that certificate is valid. It replaces the usage of the Common Name, which is now provided for compatibility reasons only. A single certificate may contain many SANs and hence be valid for many different domain names. Let’s Encrypt allows up to 100 SANs to be included in a single certificate, and the names in those SANs need not be related in any way (although the requestor must prove its control over each name individually). SAN 2.5.29.17 (RFC 5280) - Wikipedia
 
-Top-Level Domain (TLD): Highest level in the hierarchical Domain Name System, such as country-code top-level domains (ccTLD) for example .de (Germany), .cn (China) and generic top-level domains (gTLD) for example .com , .org . Wikipedia
+Top-Level Domain (TLD): Highest level in the hierarchical Domain Name System, such as country-code top-level domains (ccTLD) for example .de (Germany), .cn (China) and generic top-level domains (gTLD) for example .com, .org. Wikipedia
 
-Unified Communications Certificate (UCC): See Subject Alternative Name (SAN)
+Unified Communications Certificate (UCC): See Subject Alternative Name (SAN).
 
-Web browser: A web client used to displays web pages. Example: Mozilla Firefox , Google Chrome or Internet Explorer . Wikipedia
+Web browser: A web client used to display web pages. Example: Mozilla Firefox, Google Chrome or Internet Explorer. Wikipedia
 
-Web client: Software capable to communicate with a Web server. Example: a web Browser or cURL.
+Web client: Software capable of communicating with a Web server. Example: a web browser or cURL.
 
-Web server: Software serving web pages (or by extension, the hardware server hosting it). Wikipedia
+Web server: Software serving web pages (or, by extension, the hardware server hosting it). Wikipedia
 
-Wildcard Certificates: Certificates valid for any subdomains (but for only one level): a certificate containing a SAN for *.example.com is valid for anything.example.com (but not for something.anything.example.com nor example.com ). Let’s Encrypt does provide Wildcards certificates. Wikipedia
+Wildcard Certificates: Certificates valid for any subdomains (but for only one level): a certificate containing a SAN for *.example.com is valid for anything.example.com (but not for something.anything.example.com nor example.com). A wildcard is indicated by an asterisk character (*) in place of a subdomain label. Let’s Encrypt does provide wildcard certificates, although the allowable methods of proving control of the domain in order to obtain a wildcard are more limited than for non-wildcard certificates. Wikipedia
 
 X.509: The standard defining the format of public key certificates. Wikipedia

#8

Hi @schoen,

Thank you for that review!

That’s fine :smile: I hope I didn’t made a mistake when importing your diff: https://github.com/letsencrypt/website/pull/415/commits/3a762f37764ca30df93233475506e0234ee404ca

I have made a few change and I have some questions:

“Certificate Revocation List (CRL): A method to inform web clients about the revocation status of a certificate. Wikipedia”

“Some web client, such as Google Chrome, insists on the presence of this proof in order for a certificate to be valid. Wikipedia”

Does that diff means you wish I remove that definition?

“Certificates should be requested with the encoded xn-- form rather than with the international form, although some ACME client applications may perform this translation automatically. Wikipedia”

“The Web PKI is the overall infrastructure that allows public certificate authorities to issue digital certificates that can be accepted automatically by web client. Wikipedia”


#9

Sounds good!

Should be plural: “Some web clients, such as Google Chrome, insist on the presence of this proof in order for a certificate to be valid. Wikipedia”

Sorry I didn’t comment on that more specifically. DSA itself is quite rarely used or referred to in web PKI applications these days, so I don’t think that it’s very helpful to have it in this glossary. I realize that the reason that you included it is because of ECDSA and the reference to DSA there, but I think a simpler solution might be to treat ECDSA as its own thing without regard to the DSA history. (I know Daniel J. Bernstein points out that ECDSA has inherited large classes of implementation difficulties from the original DSA, but this fact is probably not helpful to prospective Let’s Encrypt users trying to understand what ECDSA is.)

Sounds good!

That’s good, but it should be plural (“web clients”) or generic (“a web client”).

Thanks again!


#10

Also, I should say that I totally agree with Jürgen here. This is really great work and I think it will be extremely helpful to people who are approaching these topics for the first time (or even some people who’ve worked with them for a while).

I think eventually we might want to give a little more context for how some of these topics are specifically related to the use of Let’s Encrypt, but I don’t think that’s a reason to delay publishing the glossary.


#11

I’ve added the missing plurals and removed the definition of DSA :slightly_smiling_face: (I feel that definition was important in that context, but…) : https://github.com/letsencrypt/website/pull/415/commits/d2a7422b8337cf94b2c9f83eb16d9b56d3bb041a


#12

PR updated! https://github.com/letsencrypt/website/pull/415#issuecomment-451738970 (ping @schoen @jsha)


#13

This is live at https://letsencrypt.org/docs/glossary/. Thanks @tdelmas, great work! :star::star::star:


#14

Super-cool! Thanks for this, @tdelmas.


#15

@jsha @schoen And thank you both for all the improvements you did to it!