For the purposes of this discussion, the term principal may be precisely defined as follows: an entity that is capable of believing that it can communicate securely with another entity. In DCE security, principals are represented as entries in the registry database. DCE principals include the following:
· Users, who are also referred to as interactive principals
· Instances of DCE (system-level) servers
· Instances of application-level servers
· Computers (hosts) in a DCE cell
· Key distribution service (KDS) surrogates (these are used for cross-cell authentication; see Intercell Authentication)
The DCE security server itself comprises three principals that correspond to the three services that it provides: KDS, registry service, and privilege service. The KDS in turn provides two subservices: the authentication (sub)service and the ticket-granting (sub)service (TGS).
Note: As used in the literature, the term authentication service is sometimes ambiguous. This name may be, in places, associated with at least three distinct entities: the authentication (sub)service of the KDS, the KDS itself (comprising its authentication and ticket-granting subservices), and the entire DCE Security Service (comprising the KDS, the registry service, and the privilege service).
These three servers (KDS/registry service/privilege service) comprise the main part of the DCE network trusted computing base. The KDS, registry service, and privilege service servers are commonly all implemented in a single process called the security server or security daemon.