Changes between Version 6 and Version 7 of GeniApiCredentials
- Timestamp:
- 04/19/12 11:37:24 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GeniApiCredentials
v6 v7 92 92 If the credential is a delegated credential then the original credential is placed within its parent tag. 93 93 94 94 == Delegation == 95 Credentials may be delegated, if the owner (subject) has `can_delegate` for one or more privileges. To generate a delegated credential, the owner re-signs their own credential, granting a subset of their own rights to a new owner. The delegated credential should be for the same target, for the same or a shorter duration, include the original credential in the `parent` field, be signed by the original credential's subject (subject of parent == issuer of delegated credential), and grant a subset of the original credential's privileges. 95 96 96 97 == Credential Validation == … … 98 99 Please see http://www.protogeni.net/trac/protogeni/wiki/Credentials for credential verification and validation details. 99 100 101 In summary thought 102 - Credentials must validate against the credential schema. 103 - The credential signature must be valid, as per the [http://www.w3.org/TR/xmldsig-core/ XML Digital Signature standard]. 104 - All contained certificates must be valid and trusted (trace back through all valid/trusted certificates to a trusted root certificate), and follow the GENI Certificate restrictions (see GeniApiCertificates). 105 - The expiration of the credential and all contained certificates must be later than the current time. 106 - All contained URNs must follow the [wiki:GeniApiIdentifiers GENI URN rules]. 107 - The signer of the root credential (all the way back up any delegation chain) must have authority over the target. Specifically, the root credential issuer mut have a URN indicating it is of type `authority`, and it must be the `toplevelauthority` or a parent authority of the authority named in the credential's target URN. 100 108 101 109 == Development Experience ==