Changes between Version 2 and Version 3 of Creddy

Timestamp:

Oct 1, 2010 2:13:21 PM (14 years ago)

Author:

Mike Ryan

Comment:

--

Creddy

@@ -81 +81 @@
 generate an X.509 attribute cert representing an ABAC credential
 <P>
+An attribute cert has one or more subjects. A single subject may be defined without a role. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-role. Providing multiple subjects creates an intersection certificate.
+<P>
 <DL COMPACT>
 <DT><B>--issuer</B>
@@ -95 +97 @@
 
 <DD>
-role in issuer's local attribute space.  Must start with a letter and be alphanumeric thereafter.
+role in issuer's local attribute space
 <P>
 <DT><B>--subject-cert</B>
 
 <DD>
-X.509 identity cert representing the principal to which the role is being issued. This is mutually exclusive to --subject-id.
+X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject.
 <P>
 <DT><B>--subject-id</B>
 
 <DD>
-public key identifier (SHA1 hash) of the principal to which the role is being issued. This is mutually exclusive to --subject-cert.
+public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject.
 <P>
 <DT><B>--subject-role</B>
 
 <DD>
-optional role in subject's local attribute space. Must start with a letter and be alphanumeric thereafter. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 &lt;- B.r2.
+optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 &lt;- B.r2.
 <P>
 <DT><B>--validity</B>
@@ -121 +123 @@
 <DD>
 where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der.
+<P>
 <P>
 </DL>