# Terminology ## Identity & configuration terms **Component handle:** A specific device or piece of a system. In the Guardian ecosystem, a component is defined by a human-readable name, the certificates and keys it provides, and the operations it can perform. **Hardware ID:** A unique identifier to the specific instance of a component, commonly set to the device's serial number. The same hardware ID is used throughout the lifetime of the component, including through any reprovision operations. **System:** A grouping of components, also known as a system definition. All provisioning requests for components in this system will either go through a manual or automatic approval, depending on your system setting. ## **Process terms:** ### **Approval workflows** * **Automatic approval:** System setting where provisioning requests are processed automatically without human intervention. * **Manual approval:** System setting where provisioning requests require human review and approval before processing. ### **Device provisioning** **Provisioning:** The process of securely establishing device identity and configuring cryptographic credentials for secure communication. **Reprovisioning:** Updating an already-provisioned device with new certificates or configuration while maintaining the same hardware identity. **Provisioning methods** * **Connected provisioning:** Provisioning workflow for devices with network connectivity that can communicate directly with Guardian Cloud. * **Disconnected provisioning:** Provisioning workflow for devices without network connectivity where provisioning requests must be manually transferred via files. * **Proxy provisioning:** Using a connected device to handle provisioning requests for disconnected devices that cannot communicate directly with Guardian Cloud. ## **Cryptography & security terms** **Certificate Authority (CA):** The trusted entity that issues digital certificates. In Guardian deployments, Guardian Cloud can serve as a CA, though Guardian also works with other certificate authorities. **Certificate Revocation List (CRL):** A list of certificates that have been revoked before their expiration date and should no longer be trusted. **Certificate Signing Request (CSR):** A standardized message containing a device's public key and identity information, sent to Guardian Cloud to request a digital certificate. **PKI (Public Key Infrastructure):** The cryptographic framework that Guardian uses to establish and maintain secure digital identities through certificates and keys. **Trust anchor:** The foundational certificates used to validate other certificates in the system. Stored in the `TrustStore` file. ## Guardian Platform terms **Platform components:** * **Guardian Cloud:** Cloud-based platform that processes certificate requests, enrolls devices into trust hierarchies, and generates certificates. * **Guardian Library:** Software library that runs on your devices to parse configuration profiles, request certificates from Guardian Cloud, and enable cryptographic functions. ### Guardian file types and extensions Guardian uses several file types with specific extensions during the provisioning process: **Provision Request:** File used for transmitting information including public keys to the Guardian Cloud backend. This contains the Certificate Signing Requests (CSRs) sent to Guardian Cloud. Extension: `.mcpr` **TrustStore:** Trust anchors for the Guardian platform. Extension: `.mcts` **Profile files:** 1. **Certified Profile to be Provisioned:** Signed instructions and configuration for the Guardian library and provisioning operations. This is the initial profile template for this device type created during the provisioning process. Extension: `.mcpp` 2. **Certified Profile:** Signed instructions and configuration for the Guardian library run and reprovisioning operations. This is the final device profile created during the provisioning process. Extension: `.mcp` **Identity files:** 1. **Private Identity to be Provisioned:** Key material for initial provisioning operations and connections. This is the initial private identity template. Extension: `.mcpip` 2. **Private Identity:** Key material for reprovisioning and run operations and connections. This is the final private identity file, which contains the private keys that stay on the device. Extension: `.mcpi`