--- /dev/null
+#
+# EMULAB-COPYRIGHT
+# Copyright (c) 2008 University of Utah and the Flux Group.
+# All rights reserved.
+#
+
+# ProtoGENI credential and privilege specification. The key points:
+#
+# * A credential is a set of privileges or a Ticket, each with a flag
+# to indicate delegation is permitted.
+# * A credential is signed and the signature included in the body of the
+# document.
+# * To support delegation, a credential will include its parent, and that
+# blob will be signed. So, there will be multiple signatures in the
+# document, each with a reference to the credential it signs.
+#
+#default namespace = "http://www.protogeni.net/resources/credential/0.1"
+
+namespace sig = "http://www.w3.org/2000/09/xmldsig#"
+datatypes xs = "http://www.w3.org/2001/XMLSchema-datatypes"
+anyelementbody = (attribute * {text} | text | element * {anyelementbody} )*
+
+# This is where we get the definition of RSpec from
+include "../rspec/protogeni-rspec-common.rnc"
+
+## Representation of a single privileges.
+PrivilegeSpec = element privilege {
+ # Name of the privilege.
+ element name { xsd:string { minLength = "1" }},
+ # Flag indicating this privilege can be delegated
+ element can_delegate { xsd:boolean }
+}
+
+## A set of privileges.
+PrivilegesSpec = element privileges {
+ PrivilegeSpec*
+}
+
+## Backwards compat my original credential spec.
+CapabilitySpec = element capability {
+ # Name of the capability.
+ element name { xsd:string { minLength = "1" }},
+ # Flag indicating this capability can be delegated
+ element can_delegate { "0" | "1" }
+}
+## Backwards compat my original credential spec.
+CapabilitiesSpec = element capabilities {
+ CapabilitySpec*
+}
+
+## Define a stub for future ticket.
+TicketSpec = element ticket {
+ ## Can the ticket be delegated?
+ element can_delegate { xsd:boolean },
+ ## The ticket must be "cashed in" by this date
+ element redeem_before { xsd:dateTime },
+ ## A desciption of the resources that are being promised
+ # Note: What I really want to do here is reference RSpec as being
+ # in a separate namespace. But, it's not clear to me how to do this,
+ # so we basically just use by inclusion
+ anyelementbody
+}
+
+## A list of signatures.
+signatures = element signatures {
+ element sig:Signature { anyelementbody }+
+}
+
+## A credential granting privileges or a ticket.
+credentials = element credential {
+ ## The ID for signature referencing.
+ attribute xml:id {xs:ID},
+ ## The type of this credential. Currently a Privilege set or a Ticket.
+ element type { "privilege" | "ticket" | "capability" },
+ ## A serial number.
+ element serial { xsd:string },
+ ## GID of the owner of this credential.
+ element owner_gid { xsd:string },
+ ## GID of the target of this credential.
+ element target_gid { xsd:string },
+ ## UUID of this credential
+ element uuid { xsd:string },
+ ## Expires on
+ element expires { xsd:dateTime },
+ ## Privileges or a ticket
+ (PrivilegesSpec | TicketSpec | CapabilitiesSpec),
+ ## Optional Extensions
+ element extensions { anyelementbody }*,
+ ## Parent that delegated to us
+ element parent { credentials }?
+}
+
+SignedCredential = element signed-credential {
+ credentials,
+ signatures?
+}
+
+start = SignedCredential