| 92 | === Validation === |
| 93 | To be valid, certificates must |
| 94 | - Follow the format rules above |
| 95 | - Expire later than the current time |
| 96 | - Be issued by a trusted certificate (possibly via a certificate chain) |
| 97 | - Issuer's certificate must also validate |
| 98 | - Signers must be marked as a CA, per above |
| 99 | - Signers must have a URN indicating they are of type `authority`, as described in the [wiki:GeniApiIdentifiers URN wiki page] |
| 100 | - Signers must have namespace authority over the subject of the certificate |
| 101 | - Essentially, The authority name of the signer must be a prefix of the subject name. EG: `a\.b` is an authority for, `a\.b.c.d`, but `a` is not an authority for, `a\.b.c.d` (the subject's name starts with `a.b`, where we've escaped the `.`). Also any authority name is an authority for itself. |