107 | | - The signer of the root credential (all the way back up any delegation chain) must have authority over the target. Specifically, the root credential issuer mut have a URN indicating it is of type `authority`, and it must be the `toplevelauthority` or a parent authority of the authority named in the credential's target URN. |
| 107 | - The same rules apply to any parent credential, if the credential is delegated (and on up the delegation chain). |
| 108 | - For non delegated credentials, or for the root credential of a delegated credential (all the way back up any delegation chain), the signer must have authority over the target. Specifically, the credential issuer mut have a URN indicating it is of type `authority`, and it must be the `toplevelauthority` or a parent authority of the authority named in the credential's target URN. See the [wiki:GeniApiIdentifiers URN rules page] for details about authorities. |
| 109 | - For delegated credentials, the signer of the credential must be the subject (owner) of the parent credential), until you get to the root credential (no parent), in which case the above rule applies. |