Changes between Version 6 and Version 7 of GeniApiCredentials

Timestamp:

04/19/12 11:37:24 (12 years ago)

Author:

Aaron Helsinger

Comment:

--

GeniApiCredentials

@@ -92 +92 @@
 If the credential is a delegated credential then the original credential is placed within its parent tag.
 
-
+== Delegation ==
+Credentials may be delegated, if the owner (subject) has `can_delegate` for one or more privileges. To generate a delegated credential, the owner re-signs their own credential, granting a subset of their own rights to a new owner. The delegated credential should be for the same target, for the same or a shorter duration, include the original credential in the `parent` field, be signed by the original credential's subject (subject of parent == issuer of delegated credential), and grant a subset of the original credential's privileges.
 
 == Credential Validation ==
@@ -98 +99 @@
 Please see http://www.protogeni.net/trac/protogeni/wiki/Credentials for credential verification and validation details.
 
+In summary thought
+ - Credentials must validate against the credential schema.
+ - The credential signature must be valid, as per the [http://www.w3.org/TR/xmldsig-core/ XML Digital Signature standard].
+ - All contained certificates must be valid and trusted (trace back through all valid/trusted certificates to a trusted root certificate), and follow the GENI Certificate restrictions (see GeniApiCertificates).
+ - The expiration of the credential and all contained certificates must be later than the current time.
+ - All contained URNs must follow the [wiki:GeniApiIdentifiers GENI URN rules].
+ - The signer of the root credential (all the way back up any delegation chain) must have authority over the target. Specifically, the root credential issuer mut have a URN indicating it is of type `authority`, and it must be the `toplevelauthority` or a parent authority of the authority named in the credential's target URN.
 
 == Development Experience ==