| | 120 | |
| | 121 | == Format Change History == |
| | 122 | |
| | 123 | AM API v3 standardized some additional elements of credentials and certificates. The new requirements with AM API v3 are documented on this page, and known as "geni_sfa v3". This section defines the changes from the old format, now known as geni_sfa v2. |
| | 124 | |
| | 125 | The full set of changes proposed and accepted is documented here: http://groups.geni.net/geni/wiki/GAPI_AM_API_V3_DELTAS#Adopted:ChangeSetK:Standardizecertificatesandcredentials |
| | 126 | |
| | 127 | In summary, these changes standardize elements of certificates (used in credentials), and the structure of URNs (including user and slice URNs, used in credentials). |
| | 128 | |
| | 129 | Certificate changes for geni_sfa v3 credentials: |
| | 130 | - The Subject Alternative Name field must include 3 pieces of information: URN, UUID, and Email. |
| | 131 | - v2 credentials could legally includes all 3 of these, but were not required to do so. |
| | 132 | - Entries are comma separated ('{{{, }}}'), and may be in any order. |
| | 133 | - 1: The URN identifier, following GENI URN standards as described here: http://groups.geni.net/geni/wiki/GeniApiIdentifiers |
| | 134 | - The URN is identifiable by looking for the entry beginning "{{{URI:urn:publicid:IDN}}}", for example: {{{URI:urn:publicid:IDN+emulab.net+user+stoller}}}. |
| | 135 | - 2: A UUID, providing a unique ID for the entity. |
| | 136 | - The UUID must be used with the URN to fully identify the slice or user. UUID alone should not be accepted. This ensures that the authority certifying the slice or user is always identified when referring to the slice or user. |
| | 137 | - In the hexadecimal digit string format given in [http://www.ietf.org/rfc/rfc4122.txt RFC 4122] |
| | 138 | - The UUID is identified with this prefix: "{{{URI:urn:uuid}}}" (as specified by RFC4122), for example: {{{URI:urn:uuid:33178d77-a930-40b1-9469-3aae08755743}}}. |
| | 139 | - The `COPY` tag is not supported. |
| | 140 | - 3: The email address is an [http://tools.ietf.org/html/rfc2822#section-3.4.1 RFC2822] compliant and working address for contacting the subject of the certificate (experimenter, authority administrator, or slice owner). |
| | 141 | - The email entry is identified by the prefix "{{{email:}}}", for example: {{{email:smith@example.com}}} |
| | 142 | - The `COPY` tag is not supported. |
| | 143 | - Note that the slice and user email addresses are addresses for contacting the responsible party - the slice owner or creator and the user. These may be aliases. |
| | 144 | |
| | 145 | Certificate elements standardized (but not necessarily changed) for geni_sfa v3 credentials: |
| | 146 | - {{{Version}}} shall be properly marked: 3 |
| | 147 | - {{{serialNum}}} is required to be unique within the certificate authority: each newly issued certificate must have a unique serial number. |
| | 148 | - The Distinguished Name should include a human readable identifier, for both subject and issuer. Details are not specified. |
| | 149 | - Only authority certificates (but all authorities that issue certificates) shall be marked {{{CA:TRUE}}} in the x509 v3 basic constraints; Slices and users shall be marked {{{FALSE}}}. |
| | 150 | - Recommendation: Authorities are encouraged but not required to include a URL where more information about the subject is available (eg slice authority registry URL). That URL may be included in a certificate extension, in the DN, or in the subjectAltName. |
| | 151 | |
| | 152 | Slice URNs are now standardized (not a change): |
| | 153 | - Slice URN format: {{{urn:publicid:IDN+<SA name>+slice+<slice name>}}} |
| | 154 | - Slice names are <=19 characters, only alphanumeric plus hyphen (no hyphen in first character): {{{'^[a-zA-Z0-9][-a-zA-Z0-9]\{0,18\}$'}}} |
| | 155 | - Aggregates are required to accept any compliant slice name and URN. |
| | 156 | |
| | 157 | User URNs are now standardized (not a change): |
| | 158 | - User URNs (which contain the authority name and the username) are required to be temporally and globally unique. |
| | 159 | - Usernames are case-insensitive internally, though they may be case-sensitive in display. |
| | 160 | - EG {{{JohnSmth}}} as a display name is {{{johnsmth}}} internally, and there cannot also be a user {{{JOHNSMTH}}}. |
| | 161 | - Usernames are limited to 8 characters. |
| | 162 | - Usernames should begin with a letter and be alphanumeric or underscores - no hyphen or '.': ({{{'^[a-zA-Z][\w]\{1,8\}$'}}}). |
