= GENI ABAC Credentials =

GENI ABAC credentials are used to store or communicate ABAC statements directly.  This format describes a format for passing RT0 credentials, which can express the [wiki:TIEDABACModel statements described here].

ABAC credentials are, like [GeniApiCredentials GENI Privilege credentials], XML documents signed using [http://www.w3.org/TR/xmldsig-core/ XML dsig].  The contents of an ABAC credential are contained in a {{{signed-credential}}} element.  The ABAC data is in a {{{credential}}} element and signature information in the {{{signatures}}} element.  The {{{signatures}}} element holds XML digital signature information, signing the {{{credential}}} element.

The credential element contains:

 * A type element whose content is "abac" this differentiates it from a GENI privilege credential
 * A version element whose content is 2 non-negative integers separated by a period.  No spaces. A major and minor version number.  This page describes version 1.0
 * An expires element whose content defines the last time the credential is valid.  It is in the same format as the [GeniApiCredentials GENI privilege credential].
 * An rt0 element that includes an encoding of the RT0 rule.  All take the form Principal.Attr {{{<-}}} RHS according to the following rules
   * Principals are encoded by their Subject Key Identifier - a SHA1 hash fo their public key data.  These are shown in ''italics'' below.
   * Attributes are space-free strings containing alpha-numeric data and underscores.
   * An assignment of an attribute to a principal is of the form ''issuer''.attr <- ''principal''
   * An assignment of an attribute to a set of principals that have an attribute os of the form ''issuer''.role1 <- ''principal''.role2
   * An assignment of an attribute to a set of principals assigned a given arrtibute by a principal with a given linking attribute has the form ''issuer''.role1 <- ''principal''.linking_attribute.role2.  See [wiki:TIEDABACModel here] for examples of this type of role.
   * The right side of the assignment (RHS) may be a conjunction of the various RHS types above, e.g.,  ''issuer''.role0 <- ''principal1''.role1 & ''principal2''.role2

An example abac credential (formatted for display which may invalidate the signature) follows.  Note that the <- in the <rt0> element has been escaped as &lt;-.

{{{
<signed-credential>
 <credential xml:id="ref0">
  <type>abac</type>
  <version>1.0</version>
  <expires>2033-05-12T18:33:02Z</expires>
  <rt0>f98bec95a3ade2968378bd9ef77104e8f9031ec4.friendly&lt;-3f2531dd349d831a0217907b03f309ebb81a447e</rt0>
 </credential>
 <signatures>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="#ref0">
     <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
     </Transforms>
     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     <DigestValue>DEGT6ENGnJDxSK/KQ98B2lKGn2M=</DigestValue>
    </Reference>
   </SignedInfo>
   <SignatureValue>tDFuWoUimexrKlvnh6ie4fL7EX3NTsOSrry9X3szC9GZwNdxOHaDplwopFD/4/vE
Uv+e78OBWybRQKBKse0tuIc7mRQTUflwAKJHiIUbbffSJ/IGxxnKn4Oz559ouZej
cIv6ssSN5fNojSbwlYPGvCmtjOP+/kVE8enKyBqS++nbySUDM0yG28rF57kvRic0
mq0zWF1cKBgPNgH35jeGFlpsDqXIcESLM3z6RUtmvhNm/ynbbhqL0mOy7Os8hDqV
jKPlkTb5916lzMpYVuPeVmU2RX/OuqZET7cLo5LZ5P3V5X7XjSXU61rcr51a6HTO
L6eCu7/8eVcxsNVlytwepg==</SignatureValue>
   <KeyInfo>
    <KeyValue>
     <RSAKeyValue>
      <Modulus>
2r8ogNUkqz8FezxQgvDq29uMuDtzPIV5uTWlM5IVy0x1aKWREA+wG1Xe3b6jDzhD
D4BDQQkgUYIWTq+lnhsDqz60yKy+DZ/TzSU3kLbJAcXwBEJ7E6YkfOCGK0/D1Bzq
qrD4Jeq1LlkRplE3iwx0eN6CnrQzrD7WlntRP/gf6NKDDQYJBUvS/+boE0IRFFIG
NQem6CUlITFYnIh7bbcNqw8uJcupkLbUN+jg9oWu6+HXRGmUEBC2OCi+5fApDD7e
jyaBs/dTBOTgqVgUv/1ghf+eQrhXRiaug6Beh3U/IJsNjxIdYm01W/ekOgyC3hGz
XdTm56HwZGw55Z7nVsi+Mw==
</Modulus>
      <Exponent>
AQAB
</Exponent>
     </RSAKeyValue>
    </KeyValue>
    <X509Data>
     <X509Certificate>MIIC/TCCAeWgAwIBAgIIZYdpzvz3KRUwDQYJKoZIhvcNAQEFBQAwDDEKMAgGA1UE
AxMBQTAeFw0xMzA1MTcxODMzMDFaFw0zMzA1MTIxODMzMDFaMAwxCjAIBgNVBAMT
AUEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDavyiA1SSrPwV7PFCC
8Orb24y4O3M8hXm5NaUzkhXLTHVopZEQD7AbVd7dvqMPOEMPgENBCSBRghZOr6We
GwOrPrTIrL4Nn9PNJTeQtskBxfAEQnsTpiR84IYrT8PUHOqqsPgl6rUuWRGmUTeL
DHR43oKetDOsPtaWe1E/+B/o0oMNBgkFS9L/5ugTQhEUUgY1B6boJSUhMViciHtt
tw2rDy4ly6mQttQ36OD2ha7r4ddEaZQQELY4KL7l8CkMPt6PJoGz91ME5OCpWBS/
/WCF/55CuFdGJq6DoF6HdT8gmw2PEh1ibTVb96Q6DILeEbNd1ObnofBkbDnlnudW
yL4zAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBT5i+yVo63iloN4vZ73cQTo+QMexDAfBgNVHSMEGDAWgBT5i+yVo63i
loN4vZ73cQTo+QMexDANBgkqhkiG9w0BAQUFAAOCAQEAo68/jwfCJvWzYaSo7c5D
li9EJHbeLAheLAilURoh0OwmScNIbrlDh4DMBrNarY35t3tIHxS/tsHv52Haup67
coi/h4GvWNeeMxvciWfcAqY88nPG/Xz0BjxlpCB52MsN2sR6Q/WIyfmFOl6ixdV1
X4XGKnEpKZz3bLAL2BWyzXHY7gPRI/hPk5x073iblexlPwKW8m1htVGmmboEq6YF
7OrPsAYH1297ST/s/G0AvbTJv7eCmbWHnjgW75t1X0Weu5oO8b2c09N03lHuSSdh
1wdsfPvtNCe3yslkPJQG05Exisv+U7H4QpwgEKz2ZFfRTFpKjk82mwFthdPQF32E
jw==</X509Certificate>
     <X509SubjectName>CN=A</X509SubjectName>
     <X509IssuerSerial>
      <X509IssuerName>CN=A</X509IssuerName>
      <X509SerialNumber>7315932457414895893</X509SerialNumber>
     </X509IssuerSerial>
    </X509Data>
   </KeyInfo>
  </Signature>
 </signatures>
</signed-credential>

}}}