Changes between Version 13 and Version 14 of GeniApiCredentials


Ignore:
Timestamp:
07/31/12 12:43:45 (12 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GeniApiCredentials

    v13 v14  
    118118 - For non delegated credentials, or for the root credential of a delegated credential (all the way back up any delegation chain), the signer must have authority over the target. Specifically, the credential issuer must have a URN indicating it is of type `authority`, and it must be the `toplevelauthority` or a parent authority of the authority named in the credential's target URN. See the [wiki:GeniApiIdentifiers URN rules page] for details about authorities.
    119119 - For delegated credentials, the signer of the credential must be the subject (owner) of the parent credential), until you get to the root credential (no parent), in which case the above rule applies.
     120
     121== Format Change History ==
     122
     123AM API v3 standardized some additional elements of credentials and certificates. The new requirements with AM API v3 are documented on this page, and known as "geni_sfa v3". This section defines the changes from the old format, now known as geni_sfa v2.
     124
     125The full set of changes proposed and accepted is documented here: http://groups.geni.net/geni/wiki/GAPI_AM_API_V3_DELTAS#Adopted:ChangeSetK:Standardizecertificatesandcredentials
     126
     127In summary, these changes standardize elements of certificates (used in credentials), and the structure of URNs (including user and slice URNs, used in credentials).
     128
     129Certificate changes for geni_sfa v3 credentials:
     130 - The Subject Alternative Name field must include 3 pieces of information: URN, UUID, and Email.
     131  - v2 credentials could legally includes all 3 of these, but were not required to do so.
     132  - Entries are comma separated ('{{{, }}}'), and may be in any order.
     133  - 1: The URN identifier, following GENI URN standards as described here: http://groups.geni.net/geni/wiki/GeniApiIdentifiers
     134   - The URN is identifiable by looking for the entry beginning "{{{URI:urn:publicid:IDN}}}", for example: {{{URI:urn:publicid:IDN+emulab.net+user+stoller}}}.
     135  - 2: A UUID, providing a unique ID for the entity.
     136   - The UUID must be used with the URN to fully identify the slice or user. UUID alone should not be accepted. This ensures that the authority certifying the slice or user is always identified when referring to the slice or user.
     137   - In the hexadecimal digit string format given in [http://www.ietf.org/rfc/rfc4122.txt RFC 4122]
     138   - The UUID is identified with this prefix: "{{{URI:urn:uuid}}}" (as specified by RFC4122), for example: {{{URI:urn:uuid:33178d77-a930-40b1-9469-3aae08755743}}}.
     139   - The `COPY` tag is not supported.
     140  - 3: The email address is an [http://tools.ietf.org/html/rfc2822#section-3.4.1 RFC2822] compliant and working address for contacting the subject of the certificate (experimenter, authority administrator, or slice owner).
     141   - The email entry is identified by the prefix "{{{email:}}}", for example: {{{email:smith@example.com}}}
     142   - The `COPY` tag is not supported.
     143   - Note that the slice and user email addresses are addresses for contacting the responsible party - the slice owner or creator and the user. These may be aliases.
     144
     145Certificate elements standardized (but not necessarily changed) for geni_sfa v3 credentials:
     146 - {{{Version}}} shall be properly marked: 3
     147 - {{{serialNum}}} is required to be unique within the certificate authority: each newly issued certificate must have a unique serial number.
     148 - The Distinguished Name should include a human readable identifier, for both subject and issuer. Details are not specified.
     149 - Only authority certificates (but all authorities that issue certificates) shall be marked {{{CA:TRUE}}} in the x509 v3 basic constraints; Slices and users shall be marked {{{FALSE}}}.
     150 - Recommendation: Authorities are encouraged but not required to include a URL where more information about the subject is available (eg slice authority registry URL). That URL may be included in a certificate extension, in the DN, or in the subjectAltName.
     151
     152Slice URNs are now standardized (not a change):
     153 - Slice URN format: {{{urn:publicid:IDN+<SA name>+slice+<slice name>}}}
     154 - Slice names are <=19 characters, only alphanumeric plus hyphen (no hyphen in first character): {{{'^[a-zA-Z0-9][-a-zA-Z0-9]\{0,18\}$'}}}
     155 - Aggregates are required to accept any compliant slice name and URN.
     156
     157User URNs are now standardized (not a change):
     158 - User URNs (which contain the authority name and the username) are required to be temporally and globally unique.
     159 - Usernames are case-insensitive internally, though they may be case-sensitive in display.
     160  - EG {{{JohnSmth}}} as a display name is {{{johnsmth}}} internally, and there cannot also be a user {{{JOHNSMTH}}}.
     161 - Usernames are limited to 8 characters.
     162 - Usernames should begin with a letter and be alphanumeric or underscores - no hyphen or '.': ({{{'^[a-zA-Z][\w]\{1,8\}$'}}}).
    120163
    121164== Development Experience ==