Changes between Version 7 and Version 8 of GeniApiCredentials

Timestamp:

04/19/12 11:58:27 (12 years ago)

Author:

Aaron Helsinger

Comment:

--

GeniApiCredentials

@@ -97 +97 @@
 == Credential Validation ==
 
-Please see http://www.protogeni.net/trac/protogeni/wiki/Credentials for credential verification and validation details.
+Please see http://www.protogeni.net/trac/protogeni/wiki/Credentials for a discussion of credential verification and validation details.
 
-In summary thought
+To validate a credential:
  - Credentials must validate against the credential schema.
  - The credential signature must be valid, as per the [http://www.w3.org/TR/xmldsig-core/ XML Digital Signature standard].
@@ -105 +105 @@
  - The expiration of the credential and all contained certificates must be later than the current time.
  - All contained URNs must follow the [wiki:GeniApiIdentifiers GENI URN rules].
- - The signer of the root credential (all the way back up any delegation chain) must have authority over the target. Specifically, the root credential issuer mut have a URN indicating it is of type `authority`, and it must be the `toplevelauthority` or a parent authority of the authority named in the credential's target URN.
+ - The same rules apply to any parent credential, if the credential is delegated (and on up the delegation chain).
+ - For non delegated credentials, or for the root credential of a delegated credential (all the way back up any delegation chain), the signer must have authority over the target. Specifically, the credential issuer mut have a URN indicating it is of type `authority`, and it must be the `toplevelauthority` or a parent authority of the authority named in the credential's target URN. See the [wiki:GeniApiIdentifiers URN rules page] for details about authorities.
+ - For delegated credentials, the signer of the credential must be the subject (owner) of the parent credential), until you get to the root credential (no parent), in which case the above rule applies.
 
 == Development Experience ==