Changes between Version 6 and Version 7 of GeniApiCredentials


Ignore:
Timestamp:
04/19/12 11:37:24 (8 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GeniApiCredentials

    v6 v7  
    9292If the credential is a delegated credential then the original credential is placed within its parent tag.
    9393
    94 
     94== Delegation ==
     95Credentials may be delegated, if the owner (subject) has `can_delegate` for one or more privileges. To generate a delegated credential, the owner re-signs their own credential, granting a subset of their own rights to a new owner. The delegated credential should be for the same target, for the same or a shorter duration, include the original credential in the `parent` field, be signed by the original credential's subject (subject of parent == issuer of delegated credential), and grant a subset of the original credential's privileges.
    9596
    9697== Credential Validation ==
     
    9899Please see http://www.protogeni.net/trac/protogeni/wiki/Credentials for credential verification and validation details.
    99100
     101In summary thought
     102 - Credentials must validate against the credential schema.
     103 - The credential signature must be valid, as per the [http://www.w3.org/TR/xmldsig-core/ XML Digital Signature standard].
     104 - All contained certificates must be valid and trusted (trace back through all valid/trusted certificates to a trusted root certificate), and follow the GENI Certificate restrictions (see GeniApiCertificates).
     105 - The expiration of the credential and all contained certificates must be later than the current time.
     106 - All contained URNs must follow the [wiki:GeniApiIdentifiers GENI URN rules].
     107 - The signer of the root credential (all the way back up any delegation chain) must have authority over the target. Specifically, the root credential issuer mut have a URN indicating it is of type `authority`, and it must be the `toplevelauthority` or a parent authority of the authority named in the credential's target URN.
    100108
    101109== Development Experience ==