Mathematical Mesh: Reference
draft-hallambaker-mesh-reference-09
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
|
|
|---|---|---|---|
| Author | Phillip Hallam-Baker | ||
| Last updated | 2018-04-11 | ||
| RFC stream | (None) | ||
| Formats | |||
| Additional resources | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-hallambaker-mesh-reference-09
Network Working Group P. Hallam-Baker
Internet-Draft Comodo Group Inc.
Intended status: Informational April 11, 2018
Expires: October 13, 2018
Mathematical Mesh: Reference
draft-hallambaker-mesh-reference-09
Abstract
The Mathematical Mesh ?The Mesh? is an end-to-end secure
infrastructure that facilitates the exchange of configuration and
credential data between multiple user devices. The core protocols of
the Mesh are described with examples of common use cases and
reference data.
This document is also available online at
http://mathmesh.com/Documents/draft-hallambaker-mesh-reference.html
[1] .
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 13, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Hallam-Baker Expires October 13, 2018 [Page 1]
Internet-Draft Mathematical Mesh Reference April 2018
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
2.2. Defined Terms . . . . . . . . . . . . . . . . . . . . . . 5
2.3. Related Specifications . . . . . . . . . . . . . . . . . 5
2.4. Implementation Status . . . . . . . . . . . . . . . . . . 5
3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Creating a new portal account . . . . . . . . . . . . . . 5
3.1.1. Checking Account Identifier for uniqueness . . . . . 5
3.2. Creating a new user profile . . . . . . . . . . . . . . . 6
3.2.1. Publishing a new user profile . . . . . . . . . . . . 13
3.3. Connecting a device profile to a user profile . . . . . . 15
3.3.1. Profile Authentication . . . . . . . . . . . . . . . 17
3.3.2. Connection request . . . . . . . . . . . . . . . . . 20
3.3.3. Administrator Polls Pending Connections . . . . . . . 21
3.3.4. Administrator updates and publishes the personal
profile. . . . . . . . . . . . . . . . . . . . . . . 23
3.3.5. Administrator posts completion request. . . . . . . . 24
3.3.6. Connecting device polls for status update. . . . . . 25
3.4. Adding an application profile to a user profile . . . . . 26
3.5. Creating a recovery profile . . . . . . . . . . . . . . . 27
3.6. Recovering a profile . . . . . . . . . . . . . . . . . . 28
4. Shared Classes . . . . . . . . . . . . . . . . . . . . . . . 28
4.1. Cryptographic Data Classes . . . . . . . . . . . . . . . 28
4.1.1. Structure: PublicKey . . . . . . . . . . . . . . . . 28
4.1.2. Structure: SignedData . . . . . . . . . . . . . . . . 29
4.1.3. Structure: EncryptedData . . . . . . . . . . . . . . 29
4.2. Common Application Classes . . . . . . . . . . . . . . . 29
4.2.1. Structure: Connection . . . . . . . . . . . . . . . . 29
5. Mesh Profile Objects . . . . . . . . . . . . . . . . . . . . 30
5.1. Base Profile Objects . . . . . . . . . . . . . . . . . . 30
5.1.1. Structure: Entry . . . . . . . . . . . . . . . . . . 30
5.1.2. Structure: SignedProfile . . . . . . . . . . . . . . 30
5.1.3. Structure: Advice . . . . . . . . . . . . . . . . . . 30
5.1.4. Structure: PortalAdvice . . . . . . . . . . . . . . . 30
5.1.5. Structure: Profile . . . . . . . . . . . . . . . . . 31
5.2. Device Profile Classes . . . . . . . . . . . . . . . . . 31
5.2.1. Structure: SignedDeviceProfile . . . . . . . . . . . 31
5.2.2. Structure: DeviceProfile . . . . . . . . . . . . . . 31
5.2.3. Structure: DevicePrivateProfile . . . . . . . . . . . 32
5.3. Master Profile Objects . . . . . . . . . . . . . . . . . 32
Hallam-Baker Expires October 13, 2018 [Page 2]
Internet-Draft Mathematical Mesh Reference April 2018
5.3.1. Structure: SignedMasterProfile . . . . . . . . . . . 32
5.3.2. Structure: MasterProfile . . . . . . . . . . . . . . 32
5.4. Personal Profile Objects . . . . . . . . . . . . . . . . 33
5.4.1. Structure: SignedPersonalProfile . . . . . . . . . . 33
5.4.2. Structure: PersonalProfile . . . . . . . . . . . . . 33
5.4.3. Structure: ApplicationProfileEntry . . . . . . . . . 33
5.5. Application Profile Objects . . . . . . . . . . . . . . . 34
5.5.1. Structure: SignedApplicationProfile . . . . . . . . . 34
5.5.2. Structure: ApplicationProfile . . . . . . . . . . . . 34
5.5.3. Structure: ApplicationProfilePrivate . . . . . . . . 34
5.5.4. Structure: ApplicationDevicePublic . . . . . . . . . 34
5.5.5. Structure: ApplicationDevicePrivate . . . . . . . . . 34
5.6. Key Escrow Objects . . . . . . . . . . . . . . . . . . . 35
5.6.1. Structure: EscrowEntry . . . . . . . . . . . . . . . 35
5.6.2. Structure: OfflineEscrowEntry . . . . . . . . . . . . 35
5.6.3. Structure: OnlineEscrowEntry . . . . . . . . . . . . 35
5.6.4. Structure: EscrowedKeySet . . . . . . . . . . . . . . 35
6. Portal Connection . . . . . . . . . . . . . . . . . . . . . . 35
6.1. Connection Request and Response Structures . . . . . . . 35
6.1.1. Structure: ConnectionRequest . . . . . . . . . . . . 35
6.1.2. Structure: SignedConnectionRequest . . . . . . . . . 36
6.1.3. Structure: ConnectionResult . . . . . . . . . . . . . 36
6.1.4. Structure: SignedConnectionResult . . . . . . . . . . 36
7. Mesh Portal Service Reference . . . . . . . . . . . . . . . . 36
7.1. Request Messages . . . . . . . . . . . . . . . . . . . . 36
7.1.1. Message: MeshRequest . . . . . . . . . . . . . . . . 37
7.2. Response Messages . . . . . . . . . . . . . . . . . . . . 37
7.2.1. Message: MeshResponse . . . . . . . . . . . . . . . . 37
7.3. Imported Objects . . . . . . . . . . . . . . . . . . . . 37
7.4. Common Structures . . . . . . . . . . . . . . . . . . . . 37
7.4.1. Structure: KeyValue . . . . . . . . . . . . . . . . . 37
7.4.2. Structure: SearchConstraints . . . . . . . . . . . . 37
7.5. Transaction: Hello . . . . . . . . . . . . . . . . . . . 38
7.6. Transaction: ValidateAccount . . . . . . . . . . . . . . 38
7.6.1. Message: ValidateRequest . . . . . . . . . . . . . . 38
7.6.2. Message: ValidateResponse . . . . . . . . . . . . . . 39
7.7. Transaction: CreateAccount . . . . . . . . . . . . . . . 40
7.7.1. Message: CreateRequest . . . . . . . . . . . . . . . 40
7.7.2. Message: CreateResponse . . . . . . . . . . . . . . . 40
7.8. Transaction: DeleteAccount . . . . . . . . . . . . . . . 40
7.8.1. Message: DeleteRequest . . . . . . . . . . . . . . . 41
7.8.2. Message: DeleteResponse . . . . . . . . . . . . . . . 41
7.9. Transaction: Get . . . . . . . . . . . . . . . . . . . . 41
7.9.1. Message: GetRequest . . . . . . . . . . . . . . . . . 41
7.9.2. Message: GetResponse . . . . . . . . . . . . . . . . 42
7.10. Transaction: Publish . . . . . . . . . . . . . . . . . . 42
7.10.1. Message: PublishRequest . . . . . . . . . . . . . . 42
7.10.2. Message: PublishResponse . . . . . . . . . . . . . . 43
Hallam-Baker Expires October 13, 2018 [Page 3]
Internet-Draft Mathematical Mesh Reference April 2018
7.11. Transaction: Status . . . . . . . . . . . . . . . . . . . 43
7.11.1. Message: StatusRequest . . . . . . . . . . . . . . . 43
7.11.2. Message: StatusResponse . . . . . . . . . . . . . . 43
7.12. Transaction: ConnectStart . . . . . . . . . . . . . . . . 44
7.12.1. Message: ConnectStartRequest . . . . . . . . . . . . 44
7.12.2. Message: ConnectStartResponse . . . . . . . . . . . 44
7.13. Transaction: ConnectStatus . . . . . . . . . . . . . . . 44
7.13.1. Message: ConnectStatusRequest . . . . . . . . . . . 45
7.13.2. Message: ConnectStatusResponse . . . . . . . . . . . 45
7.14. Transaction: ConnectPending . . . . . . . . . . . . . . . 45
7.14.1. Message: ConnectPendingRequest . . . . . . . . . . . 45
7.14.2. Message: ConnectPendingResponse . . . . . . . . . . 46
7.15. Transaction: ConnectComplete . . . . . . . . . . . . . . 46
7.15.1. Message: ConnectCompleteRequest . . . . . . . . . . 46
7.15.2. Message: ConnectCompleteResponse . . . . . . . . . . 46
7.16. Transaction: Transfer . . . . . . . . . . . . . . . . . . 47
7.16.1. Message: TransferRequest . . . . . . . . . . . . . . 47
7.16.2. Message: TransferResponse . . . . . . . . . . . . . 47
8. Security Considerations . . . . . . . . . . . . . . . . . . . 47
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 48
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 48
11.1. Normative References . . . . . . . . . . . . . . . . . . 48
11.2. Informative References . . . . . . . . . . . . . . . . . 48
11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 48
1. Introduction
NB: The reference material in this document is generated from the
schema used to derive the source code. The tool used to create this
material has not been optimized to produce output for the IETF
documentation format at this time. Consequently, the formatting is
currently sub-optimal.
2. Definitions
This section presents the related specifications and standard, the
terms that are used as terms of art within the documents and the
terms used as requirements language.
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] .
Hallam-Baker Expires October 13, 2018 [Page 4]
Internet-Draft Mathematical Mesh Reference April 2018
2.2. Defined Terms
The terms of art used in this document are described in the Mesh
Architecture Guide [draft-hallambaker-mesh-architecture] .
2.3. Related Specifications
The architecture of the Mathematical Mesh is described in the Mesh
Architecture Guide [draft-hallambaker-mesh-architecture] . The Mesh
documentation set and related specifications are described in this
document.
2.4. Implementation Status
The implementation status of the reference code base is described in
the companion document [draft-hallambaker-mesh-developer] .
3. Protocol Overview
[Account request does not specify the portal in the request body,
only the HTTP package includes this information. This is probably a
bug.]
3.1. Creating a new portal account
A user interacts with a Mesh service through a Mesh portal provider
with which she establishes a portal account.
For user convenience, a portal account identifier has the familiar
<username>@<domain> format established in [~RFC822].
For example Alice selects example.com as her portal provider and
chooses the account name alice. Her portal account identifier is
alice.
A user MAY establish accounts with multiple portal providers and/or
change their portal provider at any time they choose.
3.1.1. Checking Account Identifier for uniqueness
The first step in creating a new account is to check to see if the
chosen account identifier is available. This allows a client to
validate user input and if necessary warn the user that they need to
choose a new account identifier when the data is first entered.
The ValidateRequest message contains the requested account identifier
and an optional language parameter to allow the service to provide
informative error messages in a language the user understands. The
Hallam-Baker Expires October 13, 2018 [Page 5]
Internet-Draft Mathematical Mesh Reference April 2018
Language field contains a list of ISO language identifier codes in
order of preference, most preferred first.
POST /.well-known/mmm/HTTP/1.1
Host: example.com
Content-Length: 90
{
"ValidateRequest": {
"Account": "test@prismproof.org",
"Language": ["en-uk"]}}
Figure 1
The ValidateResponse message returns the result of the validation
request in the Valid field. Note that even if the value true is
returned, a subsequent account creation request MAY still fail.
HTTP/1.1 200 OK
Date: Mon 04 Dec 2017 03:38:57
Content-Length: 190
{
"ValidateResponse": {
"Status": 201,
"StatusDescription": "Operation completed successfully",
"Valid": true,
"Minimum": 1,
"InvalidCharacters": ".,:;{}()[]<>?|\\@#"}}
Figure 2
[Note that for the sake of concise presentation, the HTTP binding
information is omitted from future examples.]
3.2. Creating a new user profile
The first step in creating a new personal profile is to create a
Master Profile object. This contains the long term Master Signing
Key that will remain constant for the life of the profile, at least
one Online Signature Key to be used for administering the personal
profile and (optionally), one or more master escrow keys.
For convenience, the descriptions of the Master Signing Key, Online
Signing Keys and Escrow Keys typically include PKIX certificates
signed by the Master Signing Key. This allows PKIX based applications
to make use of PKIX certificate chains to express the same trust
relationships described in the Mesh.
Hallam-Baker Expires October 13, 2018 [Page 6]
Internet-Draft Mathematical Mesh Reference April 2018
{
"MasterProfile": {
"Identifier": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"MasterSignatureKey": {
"UDF": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"X509Certificate": "
MIIFXTCCBEWgAwIBAgIRAMLMDJuKzpOYUgyGu-pFSoswDQYJKoZIhvcNAQENBQAw
LjEsMCoGA1UEAxYjTUFMRUktR1RWM0UtNVc3SlItNk5NRVktN0c1MlUtNkszT1Qw
...
9c8HDZ9z9BHj_XwoShvX9neZiiQ26Pw9rJLNJ70Q7Nsi"
,
"PublicParameters": {
"PublicKeyRSA": {
"kid": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"n": "
-OVfAVjglTViCa7GRMcZdX8zfuALOIMoVU9itSc6zIZPDNM_D1g_-wI_bM0duKXT
Y2B3gtZJBe6tnlLK2PPnwVEqo1srSmIBGTwgRM_wlJmjQ46rET0SMEI1GuVRqvah
pxqq59XqfDYqydqOvtDcqavgyW33S1UXI7KVSJgwagk3QFnIoErh8bnK54Gdpz-L
BA7EICHqD2Md4pdRVCY1-JFYrG1wX0B5DZzCUQ6fd-TBt4BEBH3ERLQhqQMwIE7x
CaEBahklcP_44FgSmeT21sQFSHhBPZxdqmfAEefKPKu9vuo3XETeSRs3HTrtoImF
IZj421mieaQc0vTYNWL2pQ"
,
"e": "
AQAB"
}}},
"MasterEscrowKeys": [{
"UDF": "MCYWE-GQRSM-NOK5T-3UVLY-AHJF6-T4GZC",
"X509Certificate": "
MIIFXDCCBESgAwIBAgIQCLpDHbhuyKQxHbawBVlw4TANBgkqhkiG9w0BAQ0FADAu
MSwwKgYDVQQDFiNNQUxFSS1HVFYzRS01VzdKUi02Tk1FWS03RzUyVS02SzNPVDAe
...
mQ46FsAdzE42gLKnIN7IXYHbHr-bbw-5fW1bdQ840O8"
,
"PublicParameters": {
"PublicKeyRSA": {
"kid": "MCYWE-GQRSM-NOK5T-3UVLY-AHJF6-T4GZC",
"n": "
0aPb4XHnVtVIGWXc8t1mvCkf52UC8NRKPZkjNVY0bY8WwNtUNWbn-Tqv5ncS9hVz
gaRvQIM9U_4JZgwviuy2srJj0_c1yQtGIbBIRsrWt6wfx_gM0g1YCty_06hCrOu0
54JzRMm6wpLcmmws-Ip9rIL931zoNx5HvWEp5bUMFv3qENbYzlAPizobxSDinMLJ
R0gfTPz4FwillrnWRWhsWZ3VscDGZxYTsI3wZhi60B7LDdmTkr9KqXiVt7fefUSP
bGAYGQLuh_296O_Hh6F6N6V2UhvncD0K9F4t6DBt7_H06HojqLrUWsD1juVilE3h
dfFYaMEgyo9bxMIefKeQXQ"
,
"e": "
AQAB"
}}}],
"OnlineSignatureKeys": [{
Hallam-Baker Expires October 13, 2018 [Page 7]
Internet-Draft Mathematical Mesh Reference April 2018
"UDF": "MCWKN-SFJ2G-CDZQ4-ZPT4S-GS6LU-Y3COT",
"X509Certificate": "
MIIFXDCCBESgAwIBAgIQPcM0MUJ9c57N4f_Z_9uSsDANBgkqhkiG9w0BAQ0FADAu
MSwwKgYDVQQDFiNNQUxFSS1HVFYzRS01VzdKUi02Tk1FWS03RzUyVS02SzNPVDAe
...
eljXhyaFB_QYGvKRAtyaSnU9m51xLX28D5bNq8LO53M"
,
"PublicParameters": {
"PublicKeyRSA": {
"kid": "MCWKN-SFJ2G-CDZQ4-ZPT4S-GS6LU-Y3COT",
"n": "
yVcObdfLYL_Gh36yY_bprL8W7rEgax8Nbe2KFSZWkWayGps79C16pqOV0Doapko1
Lnbb-uB0BTS-Qw6A0F_0ZQyEaWzBMycvPT0Gr87unC-Ow3IaYeA2TbKNMg8Yvd_d
LB4nwWqWianYhV2nSbG4Tfem9zyYvrhG-DcKeMgQmSV6WgdwMCVEdKuuBxl5SL2D
GvmLwDwfRRX3tk0QGraagjywOCjmBd5F2WPaUtKV8HZtT9H9hI6YyztKrL_mp12P
itds_krRRLWf2OFNFMQau93zYxtNObu3xshu3hDzDHL_81pmXzMQ_AZ0vjF7-PA1
dC0VpPs3xxbXRNw64Kf_3Q"
,
"e": "
AQAB"
}}}]}}
Figure 3
The Master Profile is always signed using the Master Signing Key:
Hallam-Baker Expires October 13, 2018 [Page 8]
Internet-Draft Mathematical Mesh Reference April 2018
{
"SignedMasterProfile": {
"Identifier": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJNYXN0ZXJQcm9maWxlIjogewogICAgIklkZW50aWZpZXIiOiAiTUFMRUkt
R1RWM0UtNVc3SlItNk5NRVktN0c1MlUtNkszT1QiLAogICAgIk1hc3RlclNpZ25h
...
In19fV19fQ"
,
"signatures": [{
"header": {
"kid": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCnpuZERBMjFPSkZtZk1pdWV6
RWV6dThHWUJzWEVOSXVKZmFOMjJwWV9hTzNHeGl6ZjM3emJVVzFPNEVReDJFZ0IK
cURmRXJwVDdpX2VPVzBYWGk5VmdDUSJ9"
,
"signature": "
D0cg0pN4-50S1ilo9wrfI6u-R5NvAuZo8j5-XIBr1AylzMDWZk5YpdtoUM1q8FIR
sXVzetQ_6l8zc6fVzUJt7fMN8yBvc9v6owcFBNrujJSHsBU2u_DGxdhH1DW_4MU4
rTGXzek3__8jxo-q8LyzBfX2Wl3jzZz5VP_LhPdRjNFKTuU1e-KlLU43imvn8WTB
TYQas3JVWUgdsyH3OZ-FQ7Z06tNUtmza6qCK2HqRaUmJZ9P35835MaJbZX8D87WB
7R3KHWPNCO8bBkzXJCaM86E0wmYna3u1BuJ1Bg1bPY3t-iqVxv59FPHLB24TVMWP
WQIhxuUIJt5QYj_BhjmeBg"
}]}}}
Figure 4
Since the device used to create the personal profile is typically
connected to the profile, a Device profile entry is created for it.
This contains a Device Signing Key, a Device Encryption Key and a
Device Authentication Key:
Hallam-Baker Expires October 13, 2018 [Page 9]
Internet-Draft Mathematical Mesh Reference April 2018
{
"JoseWebSignature": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJEZXZpY2VQcm9maWxlIjogewogICAgIklkZW50aWZpZXIiOiAiTURLVVIt
VFBaUU8tNlo3U1AtUUNFUjYtN0tRU0QtQ05STlEiLAogICAgIk5hbWVzIjogWyJE
...
OUxjUVpRIiwKICAgICAgICAgICJlIjogIgpBUUFCIn19fX19"
,
"signatures": [{
"header": {
"kid": "MDKUR-TPZQO-6Z7SP-QCER6-7KQSD-CNRNQ"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCjFUX0ExbGFSY1M4OWszbFpk
aklSNUx5LVBJWlM5QUM4XzJlWmUyLUF3SXJVMzIwbFNKakhCcU1VRnBTczBTczcK
dzdva1dlV0YtV1VQcll3WjJUU2JFZyJ9"
,
"signature": "
PUZrcYPUfJRxvKMnPJ6U6mgSx3lJoyY_Q-Takf0ZrnRMbjKi1Nn2nLFlfTi_htVO
Rn45WrLIR-hnZbKLWFkwsNg2HZ55MELcF0Cnvbzb8nj0roy3vc6FSJF5aZiFEn6u
hAAimDiA8HHta0J7nzlStYPeqrb_s0XDiNfpp7aSqckVdGZC2XKhx1RgQuF5ctp3
zLOGzV0Y5No312QmIagOXcLFLXG0awxhvEHhyhsALnQX8rd0z4AZmZavKCHufbcE
n-nRts8GzgcKmnRpmOuPdGhtT-PI8Gn7-sxfb4R95Taf_7_fvLLNG0Sot4DMTMuP
xovBNY1eA23ZHtw9AvmTAg"
}]}}
Figure 5
The Device Profile is signed using the Device Signing Key:
Hallam-Baker Expires October 13, 2018 [Page 10]
Internet-Draft Mathematical Mesh Reference April 2018
{
"SignedDeviceProfile": {
"Identifier": "MDKUR-TPZQO-6Z7SP-QCER6-7KQSD-CNRNQ",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJEZXZpY2VQcm9maWxlIjogewogICAgIklkZW50aWZpZXIiOiAiTURLVVIt
VFBaUU8tNlo3U1AtUUNFUjYtN0tRU0QtQ05STlEiLAogICAgIk5hbWVzIjogWyJE
...
OUxjUVpRIiwKICAgICAgICAgICJlIjogIgpBUUFCIn19fX19"
,
"signatures": [{
"header": {
"kid": "MDKUR-TPZQO-6Z7SP-QCER6-7KQSD-CNRNQ"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCjFUX0ExbGFSY1M4OWszbFpk
aklSNUx5LVBJWlM5QUM4XzJlWmUyLUF3SXJVMzIwbFNKakhCcU1VRnBTczBTczcK
dzdva1dlV0YtV1VQcll3WjJUU2JFZyJ9"
,
"signature": "
PUZrcYPUfJRxvKMnPJ6U6mgSx3lJoyY_Q-Takf0ZrnRMbjKi1Nn2nLFlfTi_htVO
Rn45WrLIR-hnZbKLWFkwsNg2HZ55MELcF0Cnvbzb8nj0roy3vc6FSJF5aZiFEn6u
hAAimDiA8HHta0J7nzlStYPeqrb_s0XDiNfpp7aSqckVdGZC2XKhx1RgQuF5ctp3
zLOGzV0Y5No312QmIagOXcLFLXG0awxhvEHhyhsALnQX8rd0z4AZmZavKCHufbcE
n-nRts8GzgcKmnRpmOuPdGhtT-PI8Gn7-sxfb4R95Taf_7_fvLLNG0Sot4DMTMuP
xovBNY1eA23ZHtw9AvmTAg"
}]}}}
Figure 6
A personal profile would typically contain at least one application
when first created. For the sake of demonstration, we will do this
later.
The personal profile thus consists of the master profile and the
device profile:
{
"PersonalProfile": {
"Identifier": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"SignedMasterProfile": {
"Identifier": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJNYXN0ZXJQcm9maWxlIjogewogICAgIklkZW50aWZpZXIiOiAiTUFMRUkt
Hallam-Baker Expires October 13, 2018 [Page 11]
Internet-Draft Mathematical Mesh Reference April 2018
R1RWM0UtNVc3SlItNk5NRVktN0c1MlUtNkszT1QiLAogICAgIk1hc3RlclNpZ25h
...
In19fV19fQ"
,
"signatures": [{
"header": {
"kid": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCnpuZERBMjFPSkZtZk1pdWV6
RWV6dThHWUJzWEVOSXVKZmFOMjJwWV9hTzNHeGl6ZjM3emJVVzFPNEVReDJFZ0IK
cURmRXJwVDdpX2VPVzBYWGk5VmdDUSJ9"
,
"signature": "
D0cg0pN4-50S1ilo9wrfI6u-R5NvAuZo8j5-XIBr1AylzMDWZk5YpdtoUM1q8FIR
sXVzetQ_6l8zc6fVzUJt7fMN8yBvc9v6owcFBNrujJSHsBU2u_DGxdhH1DW_4MU4
rTGXzek3__8jxo-q8LyzBfX2Wl3jzZz5VP_LhPdRjNFKTuU1e-KlLU43imvn8WTB
TYQas3JVWUgdsyH3OZ-FQ7Z06tNUtmza6qCK2HqRaUmJZ9P35835MaJbZX8D87WB
7R3KHWPNCO8bBkzXJCaM86E0wmYna3u1BuJ1Bg1bPY3t-iqVxv59FPHLB24TVMWP
WQIhxuUIJt5QYj_BhjmeBg"
}]}},
"Devices": [{
"Identifier": "MDKUR-TPZQO-6Z7SP-QCER6-7KQSD-CNRNQ",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJEZXZpY2VQcm9maWxlIjogewogICAgIklkZW50aWZpZXIiOiAiTURLVVIt
VFBaUU8tNlo3U1AtUUNFUjYtN0tRU0QtQ05STlEiLAogICAgIk5hbWVzIjogWyJE
...
OUxjUVpRIiwKICAgICAgICAgICJlIjogIgpBUUFCIn19fX19"
,
"signatures": [{
"header": {
"kid": "MDKUR-TPZQO-6Z7SP-QCER6-7KQSD-CNRNQ"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCjFUX0ExbGFSY1M4OWszbFpk
aklSNUx5LVBJWlM5QUM4XzJlWmUyLUF3SXJVMzIwbFNKakhCcU1VRnBTczBTczcK
dzdva1dlV0YtV1VQcll3WjJUU2JFZyJ9"
,
"signature": "
PUZrcYPUfJRxvKMnPJ6U6mgSx3lJoyY_Q-Takf0ZrnRMbjKi1Nn2nLFlfTi_htVO
Rn45WrLIR-hnZbKLWFkwsNg2HZ55MELcF0Cnvbzb8nj0roy3vc6FSJF5aZiFEn6u
hAAimDiA8HHta0J7nzlStYPeqrb_s0XDiNfpp7aSqckVdGZC2XKhx1RgQuF5ctp3
zLOGzV0Y5No312QmIagOXcLFLXG0awxhvEHhyhsALnQX8rd0z4AZmZavKCHufbcE
n-nRts8GzgcKmnRpmOuPdGhtT-PI8Gn7-sxfb4R95Taf_7_fvLLNG0Sot4DMTMuP
xovBNY1eA23ZHtw9AvmTAg"
}]}}],
"Applications": []}}
Hallam-Baker Expires October 13, 2018 [Page 12]
Internet-Draft Mathematical Mesh Reference April 2018
Figure 7
The personal profile is then signed using the Online Signing Key:
{
"SignedPersonalProfile": {
"Identifier": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJQZXJzb25hbFByb2ZpbGUiOiB7CiAgICAiSWRlbnRpZmllciI6ICJNQUxF
SS1HVFYzRS01VzdKUi02Tk1FWS03RzUyVS02SzNPVCIsCiAgICAiU2lnbmVkTWFz
...
b25zIjogW119fQ"
,
"signatures": [{
"header": {
"kid": "MCWKN-SFJ2G-CDZQ4-ZPT4S-GS6LU-Y3COT"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCjhhR1g4Z2hibUlhc2FXVEtm
UjBhQ0QyLU5Fckh3Z0RXRkIwM2diSk1hZFhSVkpyZmpYc1RxNXFZeEhyRDRDTzQK
d0JoWXBkejVyRXJVSmtaUVFQYl9lUSJ9"
,
"signature": "
v0aUBSoxs6FMtFsbWMZViJvVNh3GNliu7CEnw2Ajj-3mRwEtgTFY0H5RiB9AIbI2
TODq7JPKm7-6CCUEugXGdh4ZOnu5A2pAbwtotdAZBpNlhTQTuN6EE-OXwZmZSQyG
DZil2tIjLxYSlsX6vWB4M00HPPYx44TLvbbNVbTVJpw5gnWTceSw5nzIsUqT3gVE
8mCtN2Vo4EWKcMEhUJMx9nUkIaclW9orbA51S3B8QeMGP179cyZ_X_y6TKC3wIB6
AUm6ZQtpa_gBRnAmkbJj6-H_zI_OQIUO_IO2ANL3jI7TSiGPA7VhKsTYDTihMPHs
wfDAwuxZ2a5enFCczaywlg"
}]}}}
Figure 8
3.2.1. Publishing a new user profile
Once the signed personal profile is created, the client can finaly
make the request for the service to create the account. The request
object contains the requested account identifier and profile:
Hallam-Baker Expires October 13, 2018 [Page 13]
Internet-Draft Mathematical Mesh Reference April 2018
{
"CreateRequest": {
"Account": "test@prismproof.org",
"Profile": {
"SignedPersonalProfile": {
"Identifier": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJQZXJzb25hbFByb2ZpbGUiOiB7CiAgICAiSWRlbnRpZmllciI6ICJNQUxF
SS1HVFYzRS01VzdKUi02Tk1FWS03RzUyVS02SzNPVCIsCiAgICAiU2lnbmVkTWFz
...
b25zIjogW119fQ"
,
"signatures": [{
"header": {
"kid": "MCWKN-SFJ2G-CDZQ4-ZPT4S-GS6LU-Y3COT"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCjhhR1g4Z2hibUlhc2FXVEtm
UjBhQ0QyLU5Fckh3Z0RXRkIwM2diSk1hZFhSVkpyZmpYc1RxNXFZeEhyRDRDTzQK
d0JoWXBkejVyRXJVSmtaUVFQYl9lUSJ9"
,
"signature": "
v0aUBSoxs6FMtFsbWMZViJvVNh3GNliu7CEnw2Ajj-3mRwEtgTFY0H5RiB9AIbI2
TODq7JPKm7-6CCUEugXGdh4ZOnu5A2pAbwtotdAZBpNlhTQTuN6EE-OXwZmZSQyG
DZil2tIjLxYSlsX6vWB4M00HPPYx44TLvbbNVbTVJpw5gnWTceSw5nzIsUqT3gVE
8mCtN2Vo4EWKcMEhUJMx9nUkIaclW9orbA51S3B8QeMGP179cyZ_X_y6TKC3wIB6
AUm6ZQtpa_gBRnAmkbJj6-H_zI_OQIUO_IO2ANL3jI7TSiGPA7VhKsTYDTihMPHs
wfDAwuxZ2a5enFCczaywlg"
}]}}}}}
Figure 9
The service reports the success (or failure) of the account creation
request:
{
"CreateResponse": {
"Status": 201,
"StatusDescription": "Operation completed successfully"}}
Figure 10
Hallam-Baker Expires October 13, 2018 [Page 14]
Internet-Draft Mathematical Mesh Reference April 2018
3.3. Connecting a device profile to a user profile
Connecting a device to a profile requires the client on the new
device to interact with a client on a device that has administration
capabilities, i.e. it has access to an Online Signing Key. Since
clients cannot interact directly with other clients, a service is
required to mediate the connection. This service is provided by a
Mesh portal provider.
All service transactions are initiated by the clients. First the
connecting device posts ConnectStart, after which it may poll for the
outcome of the connection request using ConnectStatus.
Periodically, the Administration Device polls for a list of pending
connection requests using ConnectPending. After posting a request,
the administration device posts the result using ConnectComplete:
Connecting Mesh Administration
Device Service Device
| | |
| ConnectStart | |
| ----------------------> | |
| | ConnectPending |
| | <---------------------- |
| | |
| | ConnectComplete |
| | <---------------------- |
| ConnectStatus | |
| ----------------------> | |
Figure 11
The first step in the process is for the client to generate a device
profile. Ideally the device profile is bound to the device in a
read-only fashion such that applications running on the device can
make use of the deencryption and authentication keys but these
private keys cannot be extracted from the device:
{
"DeviceProfile": {
"Identifier": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"Names": ["Default"],
"Description": "Unknown",
"DeviceSignatureKey": {
"UDF": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"PublicParameters": {
"PublicKeyRSA": {
Hallam-Baker Expires October 13, 2018 [Page 15]
Internet-Draft Mathematical Mesh Reference April 2018
"kid": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"n": "
8cxQYz71dYg24QyipvRGE6MAaoWBuFHASmD9LwSFs_A3P-CkxJ9MULvg_VNLpME_
HeNMZPNUDzZEjaUCftNUo77fhHP55xA2s9qlf0l-iYzeJjw9F0nEGNSaQOvJzKV1
VitQuAw546tSNle4I2iNI1caqnDG0567I8mYwZRmifXKuLfXRB3dG-ZiAleeP3R9
5l4aQX3DXpqSMgyl9R5NA5-m9Lv6gjBEuQ2j5BESulXKjiSH8BNjrSIbrFTdesv4
25RNY19gsfOppwvCBp1Fqv5aSc5uAdP6gtkgZ0S2KNPvnlrSl-LKfTy_CPH9kyzy
J8atJh_8pvVgr3LnVD5H-Q"
,
"e": "
AQAB"
}}},
"DeviceAuthenticationKey": {
"UDF": "MBVAM-ERHD2-PPPG3-7VWRP-U4AY2-7VOQ5",
"PublicParameters": {
"PublicKeyRSA": {
"kid": "MBVAM-ERHD2-PPPG3-7VWRP-U4AY2-7VOQ5",
"n": "
tYv9FY3ON556ZCFQKm1aevnjOaAzezXV5k60B39GTZPyBoM7cfXeUpvxcvvUyE1q
G_w0bBg58PckKZqfDR9dX5cH-MpLprtoXGMlSLLLS4wXkaaKxeHVWWLhoMNpYnSp
xzpTTEikofzJZp5RitOr1hnbfTZ7PRmpBrLajpKgg-ACRDQJ03mIa75D04EoLx77
6Ccu4pK0G3K81nu2Lc4Or3Syu_GR4cepAATudiXOU1pg7dpeBruy8jXespyjXUdQ
-wr32yH8qfJWdvsU6vCKbYXH6Hmf_SbCz8r4px5qpNwRb6Vrq1NEA7CbK9arIPgE
6P_D3SybJ0lKc-Qz7wjqlQ"
,
"e": "
AQAB"
}}},
"DeviceEncryptiontionKey": {
"UDF": "MDT3C-LKVOS-EYFGZ-GML2P-YY2IK-OJJIS",
"PublicParameters": {
"PublicKeyRSA": {
"kid": "MDT3C-LKVOS-EYFGZ-GML2P-YY2IK-OJJIS",
"n": "
8O0fFIjO5vMCjtvJN9nZ6eBc-EeNAvHOlvLyFZNELiY0OGYXEcjmRnN91qSaiR2I
98vQ3GMWzbA0UoLE08kSoz99za-c2mJx_OPxTKL1ZWSXF7IalPwG8KKBBkg7IQSb
OV1UWFB1jHCmDLn02E-zwO9AhHtIvcTgOLqCzCZv7QyMkQ0r7iJft-HbkFotDG8L
XYz-RJ0UeA2jbmx6PbYkMoGpXZe5KwIssOJhyTOkJtqOSpSgRdhgn37yZ6U1mu79
18bLcufFqQ2THnkmDBG-HNKZtcw53EBGYTSTBr1m34DkUn7oCWIKjPWbubxQt1jd
Rg1q1TRnZFETq6DVvuB1_Q"
,
"e": "
AQAB"
}}}}}
Figure 12
The device profile is then signed:
Hallam-Baker Expires October 13, 2018 [Page 16]
Internet-Draft Mathematical Mesh Reference April 2018
{
"SignedDeviceProfile": {
"Identifier": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJEZXZpY2VQcm9maWxlIjogewogICAgIklkZW50aWZpZXIiOiAiTUM1WFot
UUxPUFUtNkNLNFktM0lTWjUtS0hJTFYtQURQSEkiLAogICAgIk5hbWVzIjogWyJE
...
ICAgICAgICAgImUiOiAiCkFRQUIifX19fX0"
,
"signatures": [{
"header": {
"kid": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCjhYUVk0VkI5VU04bzd0cUdY
aUdack1nQlVnNm5mWXpLVWhBU1E1VHJKWUE5dGVKcTRQTGhqSDVPQWcyN3hLNEEK
b2RVYjJwT2RZaTFJUkJRRXA4VGlaQSJ9"
,
"signature": "
P7yjwhMYFUqupGsqcZyokfaDZV2o8-vLpXbHEQKihw_9gRokbMvqkwhhQt4RjeL8
DMBj1CgtpauMKbtmaqrpolJfX5IjQPnULTCdeEDvrGuyzw6zVAL8j0xBKCOqWxz-
pmk_kGA7svNBukfQ4wVAI1-PQw8c-garvpRZWFAD1oSkFhMQxhEG1zn0B3abJRmI
Bf9Fukqp1B5HdmOUOEp0MHJ56SaGHOSxKKmp5L3LtDsgmvJ-LumVrYpcaAAvSqI0
4qaUcWSWIGkEZ0pbXAm6O2rQYZjO2YAbLwPIasuukTHf2ukWM4DKIP8sp2qLS35A
EOTudNFW1ImVOiOKWBt-0A"
}]}}}
Figure 13
3.3.1. Profile Authentication
One of the main architecutral principles of the Mesh is bilateral
authentication. Every device that is connected to a Mesh profile
MUST authenticate the profile it is connecting to and every Mesh
profile administrator MUST authenticate devices that are connected.
Having created the necessary profile, the device MUST verify that it
is connecting to the correct Mesh profile. The best mechanism for
achieving this purpose depends on the capabilities of the device
being connected. The administration device obviously requires some
means of communicating with the user to serve its function. But the
device being connected may have a limited display capability or no
user interaction capability at all.
Hallam-Baker Expires October 13, 2018 [Page 17]
Internet-Draft Mathematical Mesh Reference April 2018
3.3.1.1. Interactive Devices
If the device has user input and display capabilities, it can verify
that it is connecting to the correct display by first requesting the
user enter the portal account of the profile they wish to connect to,
retreiving the profile associated with the device and displaying the
profile fingerprint.
The client requests the profile for the requested account name:
{
"GetRequest": {
"Account": "test@prismproof.org",
"Multiple": false}}
Figure 14
The response contains the requested profile information.
Hallam-Baker Expires October 13, 2018 [Page 18]
Internet-Draft Mathematical Mesh Reference April 2018
{
"GetResponse": {
"Status": 201,
"StatusDescription": "Operation completed successfully",
"Entries": [{
"SignedPersonalProfile": {
"Identifier": "MALEI-GTV3E-5W7JR-6NMEY-7G52U-6K3OT",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJQZXJzb25hbFByb2ZpbGUiOiB7CiAgICAiSWRlbnRpZmllciI6ICJNQUxF
SS1HVFYzRS01VzdKUi02Tk1FWS03RzUyVS02SzNPVCIsCiAgICAiU2lnbmVkTWFz
...
b25zIjogW119fQ"
,
"signatures": [{
"header": {
"kid": "MCWKN-SFJ2G-CDZQ4-ZPT4S-GS6LU-Y3COT"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCjhhR1g4Z2hibUlhc2FXVEtm
UjBhQ0QyLU5Fckh3Z0RXRkIwM2diSk1hZFhSVkpyZmpYc1RxNXFZeEhyRDRDTzQK
d0JoWXBkejVyRXJVSmtaUVFQYl9lUSJ9"
,
"signature": "
v0aUBSoxs6FMtFsbWMZViJvVNh3GNliu7CEnw2Ajj-3mRwEtgTFY0H5RiB9AIbI2
TODq7JPKm7-6CCUEugXGdh4ZOnu5A2pAbwtotdAZBpNlhTQTuN6EE-OXwZmZSQyG
DZil2tIjLxYSlsX6vWB4M00HPPYx44TLvbbNVbTVJpw5gnWTceSw5nzIsUqT3gVE
8mCtN2Vo4EWKcMEhUJMx9nUkIaclW9orbA51S3B8QeMGP179cyZ_X_y6TKC3wIB6
AUm6ZQtpa_gBRnAmkbJj6-H_zI_OQIUO_IO2ANL3jI7TSiGPA7VhKsTYDTihMPHs
wfDAwuxZ2a5enFCczaywlg"
}]}}}]}}
Figure 15
Having received the profile data, the user can then verify that the
device is attempting to connect to the correct profile by verifying
that the fingerprint shown by the device attempting to connect is
correct.
3.3.1.2. Constrained Interaction Devices
Connection of an Internet of Things 'IoT' device that does not have
the ability to accept user input requires a mechanism by which the
user can identify the device they wish to connect to their profile
and a mechanism to authenticate the profile to the device.
Hallam-Baker Expires October 13, 2018 [Page 19]
Internet-Draft Mathematical Mesh Reference April 2018
If the connecting device has a wired communication capability such as
a USB port, this MAY be used to effect the device connection using a
standardized interaction profile. But an increasing number of
constrained IoT devices are only capable of wireless communication.
Configuration of such devices for the purpose of the Mesh requires
that we also consider configuration of the wireless networking
capabilities at the same time. The precise mechanism by which this
is achieved is therefore outside the scope of this particular
document. However prototypes have been built and are being
considered that make use of some or all of the following
communication techniques:
o DHCP signalling.
o Machine readable device identifiers (barcodes, QRCodes).
o Default device profile installed during manufacture.
o Optical communication path using camera on administrative device
and status light on connecting device to communicate the device
identifier, challenge nonce and confirm profile fingerprint.
o Speech output on audio capable connecting device.
3.3.2. Connection request
After the user verifies the device fingerprint as correct, the client
posts a device connection request to the portal:
Hallam-Baker Expires October 13, 2018 [Page 20]
Internet-Draft Mathematical Mesh Reference April 2018
{
"ConnectStartRequest": {
"SignedRequest": {
"Identifier": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJDb25uZWN0aW9uUmVxdWVzdCI6IHsKICAgICJQYXJlbnRVREYiOiAiTUFM
RUktR1RWM0UtNVc3SlItNk5NRVktN0c1MlUtNkszT1QiLAogICAgIkRldmljZSI6
...
fX0sCiAgICAiRGV2aWNlRGF0YSI6IFtdfX0"
,
"signatures": [{
"header": {
"kid": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCm54cTR3NzdoN2FSdk5weC1r
MDNGTTF3b1hEN1lLMTN6RGxzcWltVWRCUjUxWkFzNU0wVnZOOFRwQ3F6aXEzcS0K
T1hwbU9FM0xXLXVkSzJSUmVIdmVQZyJ9"
,
"signature": "
GzjZPfI5yYIR1g69NWQOU2zKKAl_AY2wPfLHJohJ_cK1NGBqkfXDQMMhWfmkvkb1
qqSja0e1zeNkZbd6HYPy-dXNPIcy-6Bf3sV1IqvVn2-TZQbJO_1VnYdj7Xzj7YG9
8FMCiMvtHXUuWtUJdaUzKhxVGlqGPzkROBgODb8CvMV3NVUwykaP5_myvSk9OXIA
OSub_jZ3OX4RPklHMXuffqea0AjF_ezixgsMv01ZcvL3mFKnpk_FoRFZjYH9vP-t
w7fjP7BmRnN2qB7c3GdfLnbovfw1Fcmi7l2MYZymn9BObm2QVvffiz_UVgJBU-qk
PJMj9rTfd4XzjR7Bwf1f6Q"
}]}},
"AccountID": "test@prismproof.org"}}
Figure 16
The portal verifies that the request is accepable and returns the
transaction result:
{
"ConnectStartResponse": {}}
Figure 17
3.3.3. Administrator Polls Pending Connections
The client can poll the portal for the status of pending requests at
any time (modulo any service throttling restrictions at the service
side). But the request status will only change when an update is
posted by an administration device.
Hallam-Baker Expires October 13, 2018 [Page 21]
Internet-Draft Mathematical Mesh Reference April 2018
Since the user is typically connecting a device to their profile, the
next step in connecting the device is to start the administration
client. When started, the client polls for pending connection
requests using ConnectPendingRequest.
{
"ConnectPendingRequest": {
"AccountID": "test@prismproof.org"}}
Figure 18
The service responds with a list of pending requests:
{
"ConnectPendingResponse": {
"Pending": [{
"Identifier": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJDb25uZWN0aW9uUmVxdWVzdCI6IHsKICAgICJQYXJlbnRVREYiOiAiTUFM
RUktR1RWM0UtNVc3SlItNk5NRVktN0c1MlUtNkszT1QiLAogICAgIkRldmljZSI6
...
fX0sCiAgICAiRGV2aWNlRGF0YSI6IFtdfX0"
,
"signatures": [{
"header": {
"kid": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCm54cTR3NzdoN2FSdk5weC1r
MDNGTTF3b1hEN1lLMTN6RGxzcWltVWRCUjUxWkFzNU0wVnZOOFRwQ3F6aXEzcS0K
T1hwbU9FM0xXLXVkSzJSUmVIdmVQZyJ9"
,
"signature": "
GzjZPfI5yYIR1g69NWQOU2zKKAl_AY2wPfLHJohJ_cK1NGBqkfXDQMMhWfmkvkb1
qqSja0e1zeNkZbd6HYPy-dXNPIcy-6Bf3sV1IqvVn2-TZQbJO_1VnYdj7Xzj7YG9
8FMCiMvtHXUuWtUJdaUzKhxVGlqGPzkROBgODb8CvMV3NVUwykaP5_myvSk9OXIA
OSub_jZ3OX4RPklHMXuffqea0AjF_ezixgsMv01ZcvL3mFKnpk_FoRFZjYH9vP-t
w7fjP7BmRnN2qB7c3GdfLnbovfw1Fcmi7l2MYZymn9BObm2QVvffiz_UVgJBU-qk
PJMj9rTfd4XzjR7Bwf1f6Q"
}]}}]}}
Figure 19
Hallam-Baker Expires October 13, 2018 [Page 22]
Internet-Draft Mathematical Mesh Reference April 2018
3.3.4. Administrator updates and publishes the personal profile.
The device profile is added to the Personal profile which is then
signed by the online signing key. The administration client
publishes the updated profile to the Mesh through the portal:
{
"ConnectPendingRequest": {
"AccountID": "test@prismproof.org"}}
Figure 20
As usual, the service returns the response code:
{
"ConnectPendingResponse": {
"Pending": [{
"Identifier": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJDb25uZWN0aW9uUmVxdWVzdCI6IHsKICAgICJQYXJlbnRVREYiOiAiTUFM
RUktR1RWM0UtNVc3SlItNk5NRVktN0c1MlUtNkszT1QiLAogICAgIkRldmljZSI6
...
fX0sCiAgICAiRGV2aWNlRGF0YSI6IFtdfX0"
,
"signatures": [{
"header": {
"kid": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCm54cTR3NzdoN2FSdk5weC1r
MDNGTTF3b1hEN1lLMTN6RGxzcWltVWRCUjUxWkFzNU0wVnZOOFRwQ3F6aXEzcS0K
T1hwbU9FM0xXLXVkSzJSUmVIdmVQZyJ9"
,
"signature": "
GzjZPfI5yYIR1g69NWQOU2zKKAl_AY2wPfLHJohJ_cK1NGBqkfXDQMMhWfmkvkb1
qqSja0e1zeNkZbd6HYPy-dXNPIcy-6Bf3sV1IqvVn2-TZQbJO_1VnYdj7Xzj7YG9
8FMCiMvtHXUuWtUJdaUzKhxVGlqGPzkROBgODb8CvMV3NVUwykaP5_myvSk9OXIA
OSub_jZ3OX4RPklHMXuffqea0AjF_ezixgsMv01ZcvL3mFKnpk_FoRFZjYH9vP-t
w7fjP7BmRnN2qB7c3GdfLnbovfw1Fcmi7l2MYZymn9BObm2QVvffiz_UVgJBU-qk
PJMj9rTfd4XzjR7Bwf1f6Q"
}]}}]}}
Figure 21
Hallam-Baker Expires October 13, 2018 [Page 23]
Internet-Draft Mathematical Mesh Reference April 2018
3.3.5. Administrator posts completion request.
Having accepted the device and connected it to the profile, the
administration client creates and signs a connection completion
result which is posted to the portal using ConnectCompleteRequest:
{
"ConnectCompleteRequest": {
"Result": {
"Identifier": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJDb25uZWN0aW9uUmVzdWx0IjogewogICAgIkRldmljZSI6IHsKICAgICAg
IklkZW50aWZpZXIiOiAiTUM1WFotUUxPUFUtNkNLNFktM0lTWjUtS0hJTFYtQURQ
...
CmhCcXZGM2NzWEdKOERfLTVhZlY5OWcifV19fX19fQ"
,
"signatures": [{
"header": {
"kid": "MCWKN-SFJ2G-CDZQ4-ZPT4S-GS6LU-Y3COT"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCmhiZENhZXQ3MXNzaWlqVkpV
TWduTUNIcExyVjUwNmx5ejZKU25SaFpBNG1YU19FcXluLUNfUjhGQkFSamRMR3EK
TVRsaVBEMDZuM0ZsRk1OdXppMTFmQSJ9"
,
"signature": "
tGk7QPnDx9AinDZbkMHUnSKHDDO0SOTBBDRt-ia3WimTmnpbfPXvdyWhKSwtpyWE
sYx7pQMwufCxtA3v1f02dOMGsJTmQQ44rAmE5InSuFFrWSWoXXZfcfdveiGZg9vj
Mg0_RBDD3pdASLa7ZFQhM1hqmXVCT-zsITzqGHejO3oUWAhRFtWIHycaBWRw4TDM
B4lmQy3qEdgWhbqvllIUPDAw-sBZzRnNRnc4p3SyYXUWAisvdOhjn9ICS9iSeHEY
IvDtR7-Lal2N8mzfRubLEKMtEtj6CEShqTva2sCCgJJEHxyLqcZTUXhE-YGR2nQD
p9KsdZpdLo-RpDVkMnqmQA"
}]}},
"AccountID": "test@prismproof.org"}}
Figure 22
Again, the service returns the response code:
{
"ConnectCompleteResponse": {}}
Figure 23
Hallam-Baker Expires October 13, 2018 [Page 24]
Internet-Draft Mathematical Mesh Reference April 2018
3.3.6. Connecting device polls for status update.
As stated previously, the connecting device polls the portal
periodically to determine the status of the pending request using
ConnectStatusRequest:
{
"ConnectStatusRequest": {
"AccountID": "test@prismproof.org",
"DeviceID": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI"}}
Figure 24
If the response is that the connection status has not changed, the
service MAY return a response that specifies a minimum retry
interval. In this case however there is a connection result:
{
"ConnectStatusResponse": {
"Result": {
"Identifier": "MC5XZ-QLOPU-6CK4Y-3ISZ5-KHILV-ADPHI",
"SignedData": {
"unprotected": {
"dig": "S512"},
"payload": "
ewogICJDb25uZWN0aW9uUmVzdWx0IjogewogICAgIkRldmljZSI6IHsKICAgICAg
IklkZW50aWZpZXIiOiAiTUM1WFotUUxPUFUtNkNLNFktM0lTWjUtS0hJTFYtQURQ
...
CmhCcXZGM2NzWEdKOERfLTVhZlY5OWcifV19fX19fQ"
,
"signatures": [{
"header": {
"kid": "MCWKN-SFJ2G-CDZQ4-ZPT4S-GS6LU-Y3COT"},
"protected": "
ewogICJhbGciOiAiUlM1MTIiLAogICJ2YWwiOiAiCmhiZENhZXQ3MXNzaWlqVkpV
TWduTUNIcExyVjUwNmx5ejZKU25SaFpBNG1YU19FcXluLUNfUjhGQkFSamRMR3EK
TVRsaVBEMDZuM0ZsRk1OdXppMTFmQSJ9"
,
"signature": "
tGk7QPnDx9AinDZbkMHUnSKHDDO0SOTBBDRt-ia3WimTmnpbfPXvdyWhKSwtpyWE
sYx7pQMwufCxtA3v1f02dOMGsJTmQQ44rAmE5InSuFFrWSWoXXZfcfdveiGZg9vj
Mg0_RBDD3pdASLa7ZFQhM1hqmXVCT-zsITzqGHejO3oUWAhRFtWIHycaBWRw4TDM
B4lmQy3qEdgWhbqvllIUPDAw-sBZzRnNRnc4p3SyYXUWAisvdOhjn9ICS9iSeHEY
IvDtR7-Lal2N8mzfRubLEKMtEtj6CEShqTva2sCCgJJEHxyLqcZTUXhE-YGR2nQD
p9KsdZpdLo-RpDVkMnqmQA"
}]}}}}
Figure 25
Hallam-Baker Expires October 13, 2018 [Page 25]
Internet-Draft Mathematical Mesh Reference April 2018
[Should probably unpack further.]
3.4. Adding an application profile to a user profile
Application profiles are published separately from the personal
profile to which they are linked. This allows a device to be given
administration capability for a particular application without
granting administration capability for the profile itself and the
ability to connect additional profiles and devices.
Another advantage of this separation is that an application profile
might be managed by a separate party. In an enterprise, the
application profile for a user's corporate email account could be
managed by the corporate IT department.
A user MAY have multiple application profiles for the same
application. If a user has three email accounts, they would have
three email application profiles, one for each account.
In this example, the user has requested a PaswordProfile to be
created. When populated, this records the usernames and passwords
for the various Web sites that the user has created accounts at and
has requested the Web browser store in the Mesh.
Unlike a traditional password management service, the data stored the
Password Profile is encrypted end to end and can only be decrypted by
the devices that hold a decryption key.
{Example.PasswordProfile1}
Figure 26
The application profile is published to the Mesh in the same way as
any other profile update, via a a Publish transaction:
% Point = Example.Traces.Get (Example.LabelApplicationWeb1);
{Point.Messages[0].String()}
The service returns a status response.
{Point.Messages[1].String()}
Note that the degree of verification to be performed by the service
when an application profile is published is an open question.
Having created the application profile, the administration client
adds it to the personal profile and publishes it:
Hallam-Baker Expires October 13, 2018 [Page 26]
Internet-Draft Mathematical Mesh Reference April 2018
{Point.Messages[0].String()}
Note that if the publication was to happen in the reverse order, with
the personal profile being published before the application profile,
the personal profile might be rejected by the portal for
inconsistency as it links to a non existent application profile.
Though the value of such a check is debatable. It might well be
preferable to not make such checks as it permits an application
profile to have a degree of anonymity.
{Point.Messages[1].String()}
3.5. Creating a recovery profile
The Mesh invites users to put all their data eggs in one
cryptographic basket. If the private keys in their master profile
are lost, they could lose all their digital assets.
The debate over the desirability of key escrow is a complex one. Not
least because voluntary key escrow by the user to protect the user's
digital assets is frequently conflated with mechanisms to support
'Lawful Access' through government managed backdoors.
Accidents happen and so do disasters. For most users and most
applications, data loss is a much more important concern than data
disclosure. The option of using a robust key recovery mechanism is
therefore essential for use of strong cryptography is to become
ubiquitous.
There are of course circumstances in which some users may prefer to
risk losing some of their data rather than risk disclosure. Since
any key recovery infrastructure necessarily introduces the risk of
coercion, the choice of whether to use key recovery or not is left to
the user to decide.
The Mesh permits users to escrow their private keys in the Mesh
itself in an OfflineEscrowEntry. Such entries are encrypted using
the strongest degree of encryption available under a symmetric key.
The symmetric key is then in turn split using Shamir secret sharing
using an n of m threshold scheme.
The OfflineEscrowEntry identifier is a UDF fingerprint of the
symmetric key used to encrypt the data. This guarantees that a party
that has the decryption key has the ability to locate the
corresponding Escrow entry.
The OfflineEscrowEntry is published using the usual Publish
transaction:
Hallam-Baker Expires October 13, 2018 [Page 27]
Internet-Draft Mathematical Mesh Reference April 2018
{Point.Messages[0].String()}
The response indicates success or failure:
{Point.Messages[1].String()}
3.6. Recovering a profile
To recover a profile, the user MUST supply the necessary number of
secret shares. These are then used to calculate the UDF fingerprint
to use as the locator in a Get transaction:
{Point.Messages[0].String()}
If the transaction succeeds, GetResponse is returned with the
requested data.
{Point.Messages[1].String()}
The client can now decrypt the OfflineEscrowEntry to recover the
private key(s).
4. Shared Classes
The following classes are used as common elements in Mesh profile
specifications.a
4.1. Cryptographic Data Classes
Most Mesh objects are signed and/or encrypted. For consistency all
Mesh classes make use of the cryptographic data classes described in
this section.
4.1.1. Structure: PublicKey
The PublicKey class is used to describe public key pairs and trust
assertions associated with a public key.
UDF: String (Optional) UDF fingerprint of the public key parameters/
X509Certificate: Binary (Optional) List of X.509 Certificates
X509Chain: Binary [0..Many] X.509 Certificate chain.
X509CSR: Binary (Optional) X.509 Certificate Signing Request.
Hallam-Baker Expires October 13, 2018 [Page 28]
Internet-Draft Mathematical Mesh Reference April 2018
4.1.2. Structure: SignedData
Container for JOSE signed data and related attributes.
Data: Binary (Optional) The signed data
4.1.3. Structure: EncryptedData
Container for JOSE encrypted data and related attributes.
Data: Binary (Optional) The encrypted data
4.2. Common Application Classes
4.2.1. Structure: Connection
Describes network connection parameters for an application
ServiceName: String (Optional) DNS address of the server
Port: Integer (Optional) TCP/UDP Port number
Prefix: String (Optional) DNS service prefix as described in
[!RFC6335]
Security: String [0..Many] Describes the security mode to use.
Valid choices are Direct/Upgrade/None
UserName: String (Optional) Username to present to the service for
authentication
Password: String (Optional) Password to present to the service for
authentication
URI: String (Optional) Service connection parameters in URI format
Authentication: String (Optional) List of the supported/acceptable
authentication mechanisms, preferred mechanism first.
TimeOut: Integer (Optional) Service timeout in seconds.
Polling: Boolean (Optional) If set, the client should poll the
specified service intermittently for updates.
Hallam-Baker Expires October 13, 2018 [Page 29]
Internet-Draft Mathematical Mesh Reference April 2018
5. Mesh Profile Objects
5.1. Base Profile Objects
5.1.1. Structure: Entry
Base class for all Mesh Profile objects.
Identifier: String (Optional) Globally unique identifier that
remains constant for the lifetime of the entry.
5.1.2. Structure: SignedProfile
Inherits: Entry
Contains a signed profile entry
SignedData: JoseWebSignature (Optional) The signed profile.
Note that each child of SignedProfile requires that the Payload
field of the SignedData object contain an object of a specific
type. For example, a SignedDeviceProfile object MUST contain a
Payload field that contains a DeviceProfile object.
Unauthenticated: Advice (Optional) Additional data that is not
authenticated.
5.1.3. Structure: Advice
Additional data bound to a signed profile that is not authenticated.
Default: DateTime (Optional) If specified, the profile was the
default profile at the specified date and time. The current
default for that type of profile is the profile with the most
recent Default timestamp.
5.1.4. Structure: PortalAdvice
Describes the portal(s) at which the profile is registered.
Inherits: Advice
Inherits: Advice
PortalAddress: String [0..Many] A portal address at which this
profile is registered.
Hallam-Baker Expires October 13, 2018 [Page 30]
Internet-Draft Mathematical Mesh Reference April 2018
5.1.5. Structure: Profile
Inherits: Entry
Parent class from which all profile types are derived
Names: String [0..Many] Fingerprints of index terms for profile
retrieval. The use of the fingerprint of the name rather than the
name itself is a precaution against enumeration attacks and other
forms of abuse.
Updated: DateTime (Optional) The time instant the profile was last
modified.
NotaryToken: String (Optional) A Uniform Notary Token providing
evidence that a signature was performed after the notary token was
created.
5.2. Device Profile Classes
5.2.1. Structure: SignedDeviceProfile
Inherits: SignedProfile
Contains a signed device profile
[No fields]
5.2.2. Structure: DeviceProfile
Inherits: Profile
Describes a mesh device.
Description: String (Optional) Description of the device
DeviceSignatureKey: PublicKey (Optional) Key used to sign
certificates for the DAK and DEK. The fingerprint of the DSK is
the UniqueID of the Device Profile
DeviceAuthenticationKey: PublicKey (Optional) Key used to
authenticate requests made by the device.
DeviceEncryptiontionKey: PublicKey (Optional) Key used to pass
encrypted data to the device such as a DeviceUseEntry
Hallam-Baker Expires October 13, 2018 [Page 31]
Internet-Draft Mathematical Mesh Reference April 2018
5.2.3. Structure: DevicePrivateProfile
Private portion of device encryption profile.
DeviceSignatureKey: Key (Optional) Private portion of the
DeviceSignatureKey
DeviceAuthenticationKey: Key (Optional) Private portion of the
DeviceAuthenticationKey
DeviceEncryptiontionKey: Key (Optional) Private portion of the
DeviceEncryptiontionKey
5.3. Master Profile Objects
5.3.1. Structure: SignedMasterProfile
Inherits: SignedProfile
Contains a signed Personal master profile
[No fields]
5.3.2. Structure: MasterProfile
Inherits: Profile
Describes the long term parameters associated with a personal
profile.
MasterSignatureKey: PublicKey (Optional) The root of trust for the
Personal PKI, the public key of the PMSK is presented as a self-
signed X.509v3 certificate with Certificate Signing use enabled.
The PMSK is used to sign certificates for the PMEK, POSK and PKEK
keys.
MasterEscrowKeys: PublicKey [0..Many] A Personal Profile MAY contain
one or more PMEK keys to enable escrow of private keys used for
stored data.
OnlineSignatureKeys: PublicKey [0..Many] A Personal profile contains
at least one POSK which is used to sign device administration
application profiles.
Hallam-Baker Expires October 13, 2018 [Page 32]
Internet-Draft Mathematical Mesh Reference April 2018
5.4. Personal Profile Objects
5.4.1. Structure: SignedPersonalProfile
Inherits: SignedProfile
Contains a signed Personal current profile
[No fields]
5.4.2. Structure: PersonalProfile
Inherits: Profile
Describes the current applications and devices connected to a
personal master profile.
SignedMasterProfile: SignedMasterProfile (Optional) The
corresponding master profile. The profile MUST be signed by the
PMSK.
Devices: SignedDeviceProfile [0..Many] The set of device profiles
connected to the profile. The profile MUST be signed by the DSK
in the profile.
Applications: ApplicationProfileEntry [0..Many] Application profiles
connected to this profile.
5.4.3. Structure: ApplicationProfileEntry
Personal profile entry describing the privileges of specific devices.
Identifier: String (Optional) The unique identifier of the
application
Type: String (Optional) The application type
Friendly: String (Optional) Optional friendly name identifying the
application.
AdminDeviceUDF: String [0..Many] List of devices authorized to sign
application profiles
DecryptDeviceUDF: String [0..Many] List of devices authorized to
read private parts of application profiles.
AccountID: String (Optional) The account at which the profile is
located.
Hallam-Baker Expires October 13, 2018 [Page 33]
Internet-Draft Mathematical Mesh Reference April 2018
5.5. Application Profile Objects
5.5.1. Structure: SignedApplicationProfile
Inherits: SignedProfile
Contains a signed device profile
[No fields]
5.5.2. Structure: ApplicationProfile
Inherits: Profile
Parent class from which all application profiles inherit.
[No fields]
5.5.3. Structure: ApplicationProfilePrivate
Inherits: Entry
The base class for all private profiles.
[No fields]
5.5.4. Structure: ApplicationDevicePublic
Inherits: Entry
Describes the public per device data
DeviceDescription: String (Optional) Description of the device for
convenience of the user.
DeviceUDF: String (Optional) Fingerprint of device that this key
corresponds to.
5.5.5. Structure: ApplicationDevicePrivate
Inherits: Entry
Describes the private per device data
[No fields]
Hallam-Baker Expires October 13, 2018 [Page 34]
Internet-Draft Mathematical Mesh Reference April 2018
5.6. Key Escrow Objects
5.6.1. Structure: EscrowEntry
Inherits: Entry
Contains escrowed data
EncryptedData: JoseWebEncryption (Optional) The encrypted escrow
data
5.6.2. Structure: OfflineEscrowEntry
Inherits: EscrowEntry
Contains data escrowed using the offline escrow mechanism.
[No fields]
5.6.3. Structure: OnlineEscrowEntry
Inherits: EscrowEntry
Contains data escrowed using the online escrow mechanism.
[No fields]
5.6.4. Structure: EscrowedKeySet
A set of escrowed keys.
[No fields]
6. Portal Connection
6.1. Connection Request and Response Structures
6.1.1. Structure: ConnectionRequest
Describes a connection request.
ParentUDF: String (Optional) UDF of Mesh Profile to which connection
is requested.
Device: SignedDeviceProfile (Optional) The Device profile to be
connected
Hallam-Baker Expires October 13, 2018 [Page 35]
Internet-Draft Mathematical Mesh Reference April 2018
6.1.2. Structure: SignedConnectionRequest
Inherits: SignedProfile
Contains a ConnectionRequest signed by the corresponding device
signature key.
[No fields]
6.1.3. Structure: ConnectionResult
Describes the result of a connection request.
Inherits: ConnectionRequest
Inherits: ConnectionRequest
Result: String (Optional) The result of the connection request.
Valid responses are: Accepted, Refused, Query.
6.1.4. Structure: SignedConnectionResult
Inherits: SignedProfile
Contains a signed connection result
[No fields]
7. Mesh Portal Service Reference
HTTP Well Known Service Prefix: /.well-known/mmm
Every Mesh Portal Service transaction consists of exactly one request
followed by exactly one response. Mesh Service transactions MAY
cause modification of the data stored in the Mesh Portal or the Mesh
itself but do not cause changes to the connection state. The
protocol itself is thus idempotent. There is no set sequence in
which operations are required to be performed. It is not necessary
to perform a Hello transaction prior to a ValidateAccount, Publish or
any other transaction.
7.1. Request Messages
A Mesh Portal Service request consists of a payload object that
inherits from the MeshRequest class. When using the HTTP binding,
the request MUST specify the portal DNS address in the HTTP Host
field.
Hallam-Baker Expires October 13, 2018 [Page 36]
Internet-Draft Mathematical Mesh Reference April 2018
7.1.1. Message: MeshRequest
Base class for all request messages.
Portal: String (Optional) Name of the Mesh Portal Service to which
the request is directed.
7.2. Response Messages
A Mesh Portal Service response consists of a payload object that
inherits from the MeshResponse class. When using the HTTP binding,
the response SHOULD report the Status response code in the HTTP
response message. However the response code returned in the payload
object MUST always be considered authoritative.
7.2.1. Message: MeshResponse
Base class for all response messages. Contains only the status code
and status description fields.
[No fields]
7.3. Imported Objects
The Mesh Service protocol makes use of JSON objects defined in the
JOSE Signatgure and Encryption specifications.
7.4. Common Structures
The following common structures are used in the protocol messages:
7.4.1. Structure: KeyValue
Describes a Key/Value structure used to make queries for records
matching one or more selection criteria.
Key: String (Optional) The data retrieval key.
Value: String (Optional) The data value to match.
7.4.2. Structure: SearchConstraints
Specifies constraints to be applied to a search result. These allow
a client to limit the number of records returned, the quantity of
data returned, the earliest and latest data returned, etc.
NotBefore: DateTime (Optional) Only data published on or after the
specified time instant is requested.
Hallam-Baker Expires October 13, 2018 [Page 37]
Internet-Draft Mathematical Mesh Reference April 2018
Before: DateTime (Optional) Only data published before the specified
time instant is requested. This excludes data published at the
specified time instant.
MaxEntries: Integer (Optional) Maximum number of data entries to
return.
MaxBytes: Integer (Optional) Maximum number of data bytes to return.
PageKey: String (Optional) Specifies a page key returned in a
previous search operation in which the number of responses
exceeded the specified bounds.
When a page key is specified, all the other search parameters
except for MaxEntries and MaxBytes are ignored and the service
returns the next set of data responding to the earlier query.
7.5. Transaction: Hello
Request: HelloRequest
Request: HelloRequest
Response: HelloResponse
Report service and version information.
The Hello transaction provides a means of determining which protocol
versions, message encodings and transport protocols are supported by
the service.
7.6. Transaction: ValidateAccount
Request: ValidateRequest
Request: ValidateRequest
Response: ValidateResponse
Request validation of a proposed name for a new account.
For validation of a user's account name during profile creation.
7.6.1. Message: ValidateRequest
Inherits: MeshRequest
Hallam-Baker Expires October 13, 2018 [Page 38]
Internet-Draft Mathematical Mesh Reference April 2018
Describes the proposed account properties. Currently, these are
limited to the account name but could be extended in future versions
of the protocol.
Account: String (Optional) Account name requested
Reserve: Boolean (Optional) If true, request a reservation for the
specified account name. Note that the service is not obliged to
honor reservation requests.
Language: String [0..Many] List of ISO language codes in order of
preference. For creating explanatory text.
7.6.2. Message: ValidateResponse
Inherits: MeshResponse
States whether the proposed account properties are acceptable and
(optional) returns an indication of what properties are valid.
Note that receiving a 'Valid' responseto a Validate Request does not
guarantee creation of the account. In addition to the possibility
that the account namecould be requested by another user between the
Validate and Create transactions, a portal service MAY perform more
stringent validation criteria when an account is actually being
created. For example, checking with the authoritative list of
current accounts rather than a cached copy.
Valid: Boolean (Optional) If true, the specified account identifier
is acceptable. If false, the account identifier is rejected.
Minimum: Integer (Optional) Specifies the minimum length of an
account name.
Maximum: Integer (Optional) Specifies the maximum length of an
account name.
InvalidCharacters: String (Optional) A list of characters that the
service does not accept in account names. The list of characters
MAY not be exhaustive but SHOULD include any illegal characters in
the proposed account name.
Reason: String (Optional) Text explaining the reason an account name
was rejected.
Hallam-Baker Expires October 13, 2018 [Page 39]
Internet-Draft Mathematical Mesh Reference April 2018
7.7. Transaction: CreateAccount
Request: CreateRequest
Request: CreateRequest
Response: CreateResponse
Request creation of a new portal account.
Unlike a profile, a mesh account is specific to a particular Mesh
portal. A mesh account must be created and accepted before a profile
can be published.
7.7.1. Message: CreateRequest
Request creation of a new portal account. The request specifies the
requested account identifier and the Mesh profile to be associated
with the account.
Inherits: MeshRequest
Inherits: MeshRequest
Account: String (Optional) Account identifier requested.
7.7.2. Message: CreateResponse
Inherits: MeshResponse
Reports the success or failure of a Create transaction.
[No fields]
7.8. Transaction: DeleteAccount
Request: DeleteRequest
Request: DeleteRequest
Response: DeleteResponse
Request deletion of a portal account.
Deletes a portal account but not the underlying profile. Once
registered, profiles are permanent.
Hallam-Baker Expires October 13, 2018 [Page 40]
Internet-Draft Mathematical Mesh Reference April 2018
7.8.1. Message: DeleteRequest
Request deletion of a new portal account. The request specifies the
requested account identifier.
Inherits: MeshRequest
Inherits: MeshRequest
Account: String (Optional) Account identifier to be deleted.
7.8.2. Message: DeleteResponse
Inherits: MeshResponse
Reports the success or failure of a Delete transaction.
[No fields]
7.9. Transaction: Get
Request: GetRequest
Request: GetRequest
Response: GetResponse
Search for data in the mesh that matches a set of properties
described by a sequence of key/value pairs.
7.9.1. Message: GetRequest
Describes the Portal or Mesh data to be retreived.
Inherits: MeshRequest
Inherits: MeshRequest
Identifier: String (Optional) Lookup by profile ID
Account: String (Optional) Lookup by Account ID
KeyValues: KeyValue [0..Many] List of KeyValue pairs specifying the
conditions to be met
SearchConstraints: SearchConstraints (Optional) Constrain the search
to a specific time interval and/or limit the number and/or total
size of data records returned.
Hallam-Baker Expires October 13, 2018 [Page 41]
Internet-Draft Mathematical Mesh Reference April 2018
Multiple: Boolean (Optional) If true return multiple responses if
available
Full: Boolean (Optional) If true, the client requests that the full
Mesh data record be returned containing both the Mesh entry itself
and the Mesh metadata that allows the date and time of the
publication of the Mesh entry to be verified.
7.9.2. Message: GetResponse
Reports the success or failure of a Get transaction. If a Mesh entry
matching the specified profile is found, containsthe list of entries
matching the request.
Inherits: MeshResponse
Inherits: MeshResponse
DataItems: DataItem [0..Many] List of mesh data records matching the
request.
PageKey: String (Optional) If non-null, indicates that the number
and/or size of the data records returned exceeds either the
SearchConstraints specified in the request or internal server
limits.
7.10. Transaction: Publish
Request: PublishRequest
Request: PublishRequest
Response: PublishResponse
Publish a profile or key escrow entry to the mesh.
7.10.1. Message: PublishRequest
Requests publication of the specified Mesh entry.
Inherits: MeshRequest
[No fields]
Hallam-Baker Expires October 13, 2018 [Page 42]
Internet-Draft Mathematical Mesh Reference April 2018
7.10.2. Message: PublishResponse
Reports the success or failure of a Publish transaction.
Inherits: MeshResponse
[No fields]
7.11. Transaction: Status
Request: StatusRequest
Request: StatusRequest
Response: StatusResponse
Request the current status of the mesh as seen by the portal to which
it is directed.
The response to the status request contains the last signed
checkpoint and proof chains for each of the peer portals that have
been checkpointed.
[Not currently implemented]
7.11.1. Message: StatusRequest
Inherits: MeshRequest
Initiates a status transaction.
[No fields]
7.11.2. Message: StatusResponse
Reports the success or failure of a Status transaction.
Inherits: MeshResponse
Inherits: MeshResponse
LastWriteTime: DateTime (Optional) Time that the last write update
was made to the Mesh
LastCheckpointTime: DateTime (Optional) Time that the last Mesh
checkpoint was calculated.
Hallam-Baker Expires October 13, 2018 [Page 43]
Internet-Draft Mathematical Mesh Reference April 2018
NextCheckpointTime: DateTime (Optional) Time at which the next Mesh
checkpoint should be calculated.
CheckpointValue: String (Optional) Last checkpoint value.
7.12. Transaction: ConnectStart
Request: ConnectStartRequest
Request: ConnectStartRequest
Response: ConnectStartResponse
Request connection of a new device to a mesh profile
7.12.1. Message: ConnectStartRequest
Inherits: MeshRequest
Initial device connection request.
SignedRequest: SignedConnectionRequest (Optional) Device connection
request signed by thesignature key of the device requesting
connection.
AccountID: String (Optional) Account identifier of account to which
the device is requesting connection.
7.12.2. Message: ConnectStartResponse
Reports the success or failure of a ConnectStart transaction.
Inherits: MeshRequest
[No fields]
7.13. Transaction: ConnectStatus
Request: ConnectStatusRequest
Request: ConnectStatusRequest
Response: ConnectStatusResponse
Request status of pending connection request of a new device to a
mesh profile
Hallam-Baker Expires October 13, 2018 [Page 44]
Internet-Draft Mathematical Mesh Reference April 2018
7.13.1. Message: ConnectStatusRequest
Inherits: MeshRequest
Request status information for a pending request posted previously.
AccountID: String (Optional) Account identifier for which pending
connection information is requested.
DeviceID: String (Optional) Device identifier of device requesting
status information.
7.13.2. Message: ConnectStatusResponse
Reports the success or failure of a ConnectStatus transaction.
Inherits: MeshRequest
Inherits: MeshRequest
Result: SignedConnectionResult (Optional) The signed
ConnectionResult object.
7.14. Transaction: ConnectPending
Request: ConnectPendingRequest
Request: ConnectPendingRequest
Response: ConnectPendingResponse
Request a list of pending requests for an administration profile.
7.14.1. Message: ConnectPendingRequest
Inherits: MeshRequest
Specify the criteria for pending requests.
AccountID: String (Optional) The account identifier of the account
for which pending connection requests are requested.
SearchConstraints: SearchConstraints (Optional) Constrain the search
to a specific time interval and/or limit the number and/or total
size of data records returned.
Hallam-Baker Expires October 13, 2018 [Page 45]
Internet-Draft Mathematical Mesh Reference April 2018
7.14.2. Message: ConnectPendingResponse
Reports the success or failure of a ConnectPending transaction.
Inherits: MeshRequest
Inherits: MeshRequest
Pending: SignedConnectionRequest [0..Many] A list of pending
requests satisfying the criteria set out in the request.
PageKey: String (Optional) If non-null, indicates that the number
and/or size of the data records returned exceeds either the
SearchConstraints specified in the request or internal server
limits.
7.15. Transaction: ConnectComplete
Request: ConnectCompleteRequest
Request: ConnectCompleteRequest
Response: ConnectCompleteResponse
Post response to a pending connection request.
7.15.1. Message: ConnectCompleteRequest
Reports the success or failure of a ConnectComplete transaction.
Inherits: MeshRequest
Inherits: MeshRequest
Result: SignedConnectionResult (Optional) The connection result to
be posted to the portal. The result MUST be signed by a valid
administration key for the Mesh profile.
AccountID: String (Optional) The account identifier to which the
connection result is posted.
7.15.2. Message: ConnectCompleteResponse
Inherits: MeshRequest
Reports the success or failure of a ConnectComplete transaction.
[No fields]
Hallam-Baker Expires October 13, 2018 [Page 46]
Internet-Draft Mathematical Mesh Reference April 2018
7.16. Transaction: Transfer
Request: TransferRequest
Request: TransferRequest
Response: TransferResponse
Perform a bulk transfer of the log between the specified transaction
identifiers. Requires appropriate authorization
[Not currently implemented]
7.16.1. Message: TransferRequest
Request a bulk transfer of the log between the specified transaction
identifiers. Requires appropriate authorization
Inherits: MeshRequest
Inherits: MeshRequest
SearchConstraints: SearchConstraints (Optional) Constrain the search
to a specific time interval and/or limit the number and/or total
size of data records returned.
7.16.2. Message: TransferResponse
Inherits: MeshResponse
Reports the success or failure of a Transfer transaction. If
successful, contains the list of Mesh records to be transferred.
DataItems: DataItem [0..Many] List of mesh data records matching the
request.
PageKey: String (Optional) If non-null, indicates that the number
and/or size of the data records returned exceeds either the
SearchConstraints specified in the request or internal server
limits.
8. Security Considerations
9. IANA Considerations
All the IANA considerations for the Mesh documents are specified in
this document
Hallam-Baker Expires October 13, 2018 [Page 47]
Internet-Draft Mathematical Mesh Reference April 2018
10. Acknowledgements
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997.
[RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
Cheshire, "Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service Name and
Transport Protocol Port Number Registry", BCP 165,
RFC 6335, DOI 10.17487/RFC6335, August 2011.
11.2. Informative References
[draft-hallambaker-mesh-architecture]
Hallam-Baker, P., "Mathematical Mesh: Architecture",
draft-hallambaker-mesh-architecture-04 (work in progress),
September 2017.
[draft-hallambaker-mesh-developer]
Hallam-Baker, P., "Mathematical Mesh: Reference
Implementation", draft-hallambaker-mesh-developer-06 (work
in progress), April 2018.
[RFC822] Crocker, D., "STANDARD FOR THE FORMAT OF ARPA INTERNET
TEXT MESSAGES", STD 11, RFC 822, DOI 10.17487/RFC0822,
August 1982.
11.3. URIs
[1] http://mathmesh.com/Documents/draft-hallambaker-mesh-
reference.html
Author's Address
Phillip Hallam-Baker
Comodo Group Inc.
Email: philliph@comodo.com
Hallam-Baker Expires October 13, 2018 [Page 48]