From a4b427fc4f10648838e81fee8cda45e159bad5e6 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 5 Apr 2005 15:04:50 +0000
Subject: [PATCH] Schema for Shibboleth V1.1/V1.2 trust metadata.

---
 xml/shibboleth-trust-1.0.xsd | 60 ++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 xml/shibboleth-trust-1.0.xsd

diff --git a/xml/shibboleth-trust-1.0.xsd b/xml/shibboleth-trust-1.0.xsd
new file mode 100644
index 00000000..0e603a5b
--- /dev/null
+++ b/xml/shibboleth-trust-1.0.xsd
@@ -0,0 +1,60 @@
+<schema targetNamespace="urn:mace:shibboleth:trust:1.0"
+	xmlns="http://www.w3.org/2001/XMLSchema"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:trust="urn:mace:shibboleth:trust:1.0"
+	elementFormDefault="unqualified"
+	attributeFormDefault="unqualified"
+	version="1.0">
+	
+    <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>
+
+	<annotation>
+		<documentation>
+		Trust metadata binds keys or authority lists to system entities.
+		The metadata consumer is responsible for associating the names of system entities
+		to the application context in an appropriate way.
+		</documentation>
+	</annotation>
+    
+	<element name="Trust">
+		<annotation>
+			<documentation>
+			An optionally signed collection of trust binding elements.
+			ds:KeyInfo is by definition a binding of a key to a specific entity,
+			which may be specified in various ways such as KeyName or X509SubjectName.
+			</documentation>
+		</annotation>
+		<complexType>
+			<sequence>
+				<choice maxOccurs="unbounded">
+					<element ref="ds:KeyInfo"/>
+					<element ref="trust:KeyAuthority"/>
+				</choice>
+				<element ref="ds:Signature" minOccurs="0"/>
+			</sequence>
+	        <attribute name="lastChanged" type="dateTime" use="optional"/>
+	        <attribute name="validUntil" type="dateTime" use="optional"/>
+	        <attribute name="cacheDuration" type="duration" use="optional"/>
+	        <anyAttribute namespace="##other" processContents="lax"/>
+		</complexType>
+	</element>
+
+	<element name="KeyAuthority" type="trust:KeyAuthorityType"/>
+	<complexType name="KeyAuthorityType">
+		<annotation>
+			<documentation>
+			Binds keying authorities to one or more named system entities.
+			Omitting ds:KeyName will apply the authorities to all transactions, unless
+			another specific match applies. This is risky, so use wisely, in conjunction
+			with constraints on acceptable messages using other forms of metadata or policy.
+			</documentation>
+		</annotation>
+		<sequence>
+			<element ref="ds:KeyName" minOccurs="0" maxOccurs="unbounded"/>
+			<element ref="ds:KeyInfo"/>
+		</sequence>
+		<attribute name="VerifyDepth" type="unsignedByte" use="optional"/>
+		<anyAttribute namespace="##other" processContents="lax"/>
+	</complexType>
+	
+</schema>