Wiki Navigation

← Previous Change
Page History
Next Change →

Changes between Version 1 and Version 2 of Credentials

Author:: gary (IP: 155.98.60.98)
Timestamp:: 06/09/10 12:31:07 (3 months ago)
Comment:: Add a section with detailed credential validation requirements.

Legend:

: Unmodified
: Added
: Removed
: Modified

Credentials

v1	v2
36	36	The wildcard privilege "*" may be used in place of any other
37	37	privilege string.
38
39		~~A simple credential (one with no ancestors) must be signed by the~~
40		~~ProtoGENI authority whose certificate subject exactly matches the authority~~
41		~~in the `target` URN. (This certificate will be included in a signature~~
42		~~element, according to standard XML Signature processing. Other~~
43		~~certificates might also be enclosed, since it is necessary to~~
44		~~verify CA certificates up to one of the ultimately trusted roots.)~~
45	38
46	39	For the detailed specification, please consult the
86	79	outermost child credential.
87	80
88		~~No privilege may be included in a child credential unless either~~
89		~~a privilege with identical name or the privilege named "*" is present~~
90		~~in the parent. In addition, the parent privilege must include~~
91		~~the element {{{<can_delegate>1</can_delegate>}}}.~~
92
93		~~The expiry time on a child credential may be no later than the~~
94		~~expiry time of the parent.~~
95
96	81	[wiki:DelegationExample A concrete example] of a delegated
97	82	credential is available, along with instructions on how to use
98	83	the ProtoGENI tools to create one.
	84
	85	== Validating credentials ==
	86
	87	The following procedure should be followed before accepting any credential
	88	as proof of corresponding privileges. Naturally, all credentials must
	89	be ''syntactically'' correct (and validate against the
	90	[attachment:wiki:Authentication:credential.rnc credential schema]);
	91	the following requirements describe restrictions which are necessary
	92	for ''semantic'' correctness as well.
	93
	94	For any credential to be honoured, the current time must be no later
	95	than that specified in the `expires` element of the credential. When
	96	issuing subsequent credentials under the authority conferred by an
	97	existing credential (e.g. when a slice credential has been presented to
	98	authenticate the issuing of a corresponding sliver credential), the
	99	`expires` element time of the consequent credential must be no later
	100	than the `expires` element time of the existing credential.
	101
	102	=== Validating the root ===
	103
	104	Any simple credential (one with no ancestors), including the ultimate
	105	root credential which is contained in delegated credentials, must be
	106	signed by a ProtoGENI authority whose certificate `subject` matches the
	107	authority in the `target` URN. (This certificate will be included in
	108	a signature element, according to standard XML Signature processing.
	109	Other certificates might also be enclosed, since it is necessary to
	110	verify CA certificates up to one of the ultimately trusted roots.)
	111
	112	The certificate subject is considered to match the credential target
	113	if and only if:
	114
	115	1. The subject [wiki:URNs URN] in the authority's certificate has
	116	`resource-type` "authority".
	117	1. The `toplevelauthority` field in the authority's certificate
	118	subject [wiki:URNs URN] is identical to the `toplevelauthority`
	119	in the credential target URN.
	120	[http://tools.ietf.org/html/rfc3151 RFC 3151]
	121	defines transcription and equivalence of public identifier URNs.
	122
	123	=== Validating any delegation ===
	124
	125	If the credential has been delegated, then each delegation must
	126	satisfy the following:
	127
	128	1. The `type` field of the child must be identical to the `type`
	129	field of the parent.
	130	1. The expiry time on a child credential must be no later than the
	131	expiry time of the parent.
	132	1. The expiry time of the child must be no later than the current
	133	time.
	134	1. A valid signature over the child credential, signed by the principal
	135	identified in the `owner` element of the parent credential,
	136	must be present in the `signatures` element of the outermost
	137	credential.
	138	1. For credentials of `type` `privilege`:
	139	a. No privilege may be included in a child credential unless either
	140	a privilege with identical name or the privilege named "*" is present
	141	in the parent. In addition, the parent privilege must include
	142	the element {{{<can_delegate>1</can_delegate>}}}.
	143
	144	=== Validating subauthorities ===
	145
	146	Please note that Utah's ProtoGENI software does not yet support
	147	subauthorities. If a validator does not support subauthorities, it
	148	should reject any credential if either the authority certificate
	149	subject URN or the credential target URN contain one or more
	150	subauthority fields.
	151
	152	If the validator does process subauthorities, the following
	153	restrictions will apply:
	154
	155	1. The number of subauthorities specified in the authority subject
	156	and the credential target must agree, and each `subauthority`
	157	field must match (just as the `toplevelauthority` must).
	158	1. Any authority certificate where the subject URN contains one or
	159	more subauthorities must have been signed by a CA such that the
	160	certificate issuer URN contains exactly the same `toplevelauthority`
	161	and `subauthority` fields as the certificate subject URN in
	162	exactly the same order, except that the very last `subauthority`
	163	in the certificate subject must not be present in the certificate
	164	issuer.