= GENI ABAC Credentials = GENI ABAC credentials are used to store or communicate ABAC statements directly. This format describes a format for passing RT0 credentials, which can express the [wiki:TIEDABACModel statements described here]. ABAC credentials are, like [GeniApiCredentials GENI Privilege credentials], XML documents signed using [http://www.w3.org/TR/xmldsig-core/ XML dsig]. The contents of an ABAC credential are contained in a {{{signed-credential}}} element. The ABAC data is in a {{{credential}}} element and signature information in the {{{signatures}}} element. The {{{signatures}}} element holds XML digital signature information, signing the {{{credential}}} element. The credential element contains: * A type element whose content is "abac" this differentiates it from a GENI privilege credential * A version element whose content is 2 non-negative integers separated by a period. No spaces. A major and minor version number. This page describes version 1.0 * An expires element whose content defines the last time the credential is valid. It is in the same format as the [GeniApiCredential GENI privilege credential]. * An rt0 element that includes an encoding of the RT0 rule. All take the form ''Principal.Attr'' {{{<-}}} ''RHS'' according to the following rules * Principals are encoded by their Subject Key Identifier - a SHA1 hash fo their public key data. These are shown in ''italics'' below. * Attributes are space-free strings containing alpha-numeric data and underscores. * An assignment of an attribute to a principal is of the form ''issuer''.attr <- ''principal'' * An assignment of an attribute to a set of principals that have an attribute os of the form ''issuer''.role1 <- ''principal''.role2 * An assignment of an attribute to a set of principals assigned a given arrtibute by a principal with a given linking attribute has the form ''issuer''.role1 <- ''principal''.linking_attribute.role2. See [wiki:TIEDABACModel here] for examples of this type of role. * The right side of the assignment may be a conjunction of the various principal types of this form ''issuer''.role0 <- ''principal1''.role1 & ''principal2''.role2