Changes between Initial Version and Version 1 of TIEDABACCredential


Ignore:
Timestamp:
05/17/13 16:32:12 (11 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACCredential

    v1 v1  
     1= GENI ABAC Credentials =
     2
     3GENI ABAC credentials are used to store or communicate ABAC statements directly.  This format describes a format for passing RT0 credentials, which can express the [wiki:TIEDABACModel statements described here].
     4
     5ABAC credentials are, like [GeniApiCredentials GENI Privilege credentials], XML documents signed using [http://www.w3.org/TR/xmldsig-core/ XML dsig].  The contents of an ABAC credential are contained in a {{{signed-credential}}} element.  The ABAC data is in a {{{credential}}} element and signature information in the {{{signatures}}} element.  The {{{signatures}}} element holds XML digital signature information, signing the {{{credential}}} element.
     6
     7The credential element contains:
     8
     9 * A type element whose content is "abac" this differentiates it from a GENI privilege credential
     10 * A version element whose content is 2 non-negative integers separated by a period.  No spaces. A major and minor version number.  This page describes version 1.0
     11 * An expires element whose content defines the last time the credential is valid.  It is in the same format as the [GeniApiCredential GENI privilege credential].
     12 * An rt0 element that includes an encoding of the RT0 rule.  All take the form ''Principal.Attr'' {{{<-}}} ''RHS'' according to the following rules
     13   * Principals are encoded by their Subject Key Identifier - a SHA1 hash fo their public key data.  These are shown in ''italics'' below.
     14   * Attributes are space-free strings containing alpha-numeric data and underscores.
     15   * An assignment of an attribute to a principal is of the form ''issuer''.attr <- ''principal''
     16   * An assignment of an attribute to a set of principals that have an attribute os of the form ''issuer''.role1 <- ''principal''.role2
     17   * An assignment of an attribute to a set of principals assigned a given arrtibute by a principal with a given linking attribute has the form ''issuer''.role1 <- ''principal''.linking_attribute.role2.  See [wiki:TIEDABACModel here] for examples of this type of role.
     18   * The right side of the assignment may be a conjunction of the various principal types of this form ''issuer''.role0 <- ''principal1''.role1 & ''principal2''.role2
     19