Mathematical Mesh: Client-Service Profiles

NB: The reference material in this document is generated from the schema used to derive the source code. The tool used to create this material has not been optimized to produce output for the IETF documentation format at this time. Consequently the formatting is currently sub-optimal.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

A profile is a first class object. It has a globally unique identifier that provides an unambiguous reference to the profile in any situation.

A record describes the state of an object at the completion of a specific Transaction.

A transaction is an event in which the state of an object changes. Every transaction has a globally unique transaction identifier. Transaction identifiers are issued in a monotonic sequence such that a transaction that completes at time t1 will always have a lower transaction identifier than one that begins at time t2 where t2 > t1.

The master profile contains the axioms of trust for a Mesh user. The key used to sign the profile MUST be MasterSigningKey The Master Signing key is the ultimate trust axiom for the Master Profile.

The key used to sign the profile MUST be a member of MasterProfile/OnlineSignatureKeys The Master Profile that this personal profile is an instance of. A list of application profile entries specifying which application profiles are attached to the personal profile

The key used to sign the profile MUST be MasterSigningKey The Master Signing key is the ultimate trust axiom for the Master Profile.

String [0..1] Globally unique identifier that remains constant for the lifetime of the entry.

Contains a signed profile entry String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebSignature [0..1] The signed profile

Contains a signed device profile String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebSignature [0..1] The signed profile

Contains a signed Personal master profile String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebSignature [0..1] The signed profile

Contains a signed Personal current profile String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebSignature [0..1] The signed profile

Contains a signed device profile String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebSignature [0..1] The signed profile

Contains an encrypted profile entry String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebEncryption [0..1] The signed and encrypted profile

Parent class from which all profile types are derrived String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. String [0..Many] Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse. DateTime [0..1] The time instant the profile was last modified. String [0..1] A Uniform Notary Token providing evidence that a signature was performed after the notary token was created.

Describes the long term parameters associated with a personal profile. String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. String [0..Many] Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse. DateTime [0..1] The time instant the profile was last modified. String [0..1] A Uniform Notary Token providing evidence that a signature was performed after the notary token was created. PublicKey [0..1] The root of trust for the Personal PKI, the public key of the PMSK is presented as a self-signed X.509v3 certificate with Certificate Signing use enabled. The PMSK is used to sign certificates for the PMEK, POSK and PKEK keys. PublicKey [0..Many] A Personal Profile MAY contain one or more PMEK keys to enable escrow of private keys used for stored data. PublicKey [0..Many] A Personal profile contains at least one POSK which is used to sign device administration application profiles.

Describes the current applications and devices connected to a personal master profile. String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. String [0..Many] Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse. DateTime [0..1] The time instant the profile was last modified. String [0..1] A Uniform Notary Token providing evidence that a signature was performed after the notary token was created. SignedMasterProfile [0..1] The corresponding master profile. The profile MUST be signed by the PMSK. SignedDeviceProfile [0..Many] The set of device profiles connected to the profile. The profile MUST be signed by the DSK in the profile. ApplicationProfileEntry [0..Many] Application profiles connected to this profile.

String [0..1] The unique identifier of the application String [0..1] The application type String [0..1] Optional friendly name identifying the application. String [0..Many] List of devices authorized to sign application profiles String [0..Many] List of devices authorized to read private parts of application profiles

Describes a mesh device. String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. String [0..Many] Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse. DateTime [0..1] The time instant the profile was last modified. String [0..1] A Uniform Notary Token providing evidence that a signature was performed after the notary token was created. String [0..1] Description of the device PublicKey [0..1] Key used to sign certificates for the DAK and DEK. The fingerprint of the DSK is the UniqueID of the Device Profile PublicKey [0..1] Key used to authenticate requests made by the device. PublicKey [0..1] Key used to pass encrypted data to the device such as a DeviceUseEntry

Private portion of device encryption profile. Key [0..1] Private portion of the DeviceSignatureKey Key [0..1] Private portion of the DeviceAuthenticationKey Key [0..1] Private portion of the DeviceEncryptiontionKey

Parent class from which all application profiles inherit. String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. String [0..Many] Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse. DateTime [0..1] The time instant the profile was last modified. String [0..1] A Uniform Notary Token providing evidence that a signature was performed after the notary token was created. JoseWebEncryption [0..1] Encrypted application data

Stores usernames and passwords String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. String [0..Many] Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse. DateTime [0..1] The time instant the profile was last modified. String [0..1] A Uniform Notary Token providing evidence that a signature was performed after the notary token was created. JoseWebEncryption [0..1] Encrypted application data

PasswordEntry [0..Many] [TBS]

Username password entry for a single site String [0..Many] DNS name of site *.example.com matches www.example.com etc. String [0..1] Case sensitive username String [0..1] Case sensitive password.

Public profile describes mail receipt policy. Private describes Sending policy String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. String [0..Many] Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse. DateTime [0..1] The time instant the profile was last modified. String [0..1] A Uniform Notary Token providing evidence that a signature was performed after the notary token was created. JoseWebEncryption [0..1] Encrypted application data PublicKey [0..1] The current OpenPGP encryption key PublicKey [0..1] The current S/MIME encryption key

Describes a mail account configuration Private profile contains connection settings for the inbound and outbound mail server(s) and cryptographic private keys. Public profile may contain security policy information for the sender. String [0..1] The RFC822 Email address. [e.g. "alice@example.com"] String [0..1] The RFC822 Reply toEmail address. [e.g. "alice@example.com"] When set, allows a sender to tell the receiver that replies to this account should be directed to this address. String [0..1] The Display Name. [e.g. "Alice Example"] String [0..1] The Account Name for display to the app user [e.g. "Work Account"] Connection [0..Many] The Inbound Mail Connection(s). This is typically IMAP4 or POP3 If multiple connections are specified, the order in the sequence indicates the preference order. Connection [0..Many] The Outbound Mail Connection(s). This is typically SMTP/SUBMIT If multiple connections are specified, the order in the sequence indicates the preference order. PublicKey [0..Many] The public keypair(s) for signing and decrypting email. If multiple public keys are specified, the order indicates preference. PublicKey [0..Many] The public keypairs for encrypting and decrypting email. If multiple public keys are specified, the order indicates preference.

Describes the network profile to follow String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. String [0..Many] Fingerprints of index terms for profile retrieval. The use of the fingerprint of the name rather than the name itself is a precaution against enumeration attacks and other forms of abuse. DateTime [0..1] The time instant the profile was last modified. String [0..1] A Uniform Notary Token providing evidence that a signature was performed after the notary token was created. JoseWebEncryption [0..1] Encrypted application data

Describes the network profile to follow String [0..Many] DNS name of sites to which profile applies *.example.com matches www.example.com etc. Connection [0..Many] DNS Resolution Services String [0..Many] DNS prefixes to search Binary [0..1] Certificate Trust List giving WebPKI roots to trust String [0..Many] List of UDF fingerprints of keys making up the trust roots to be accepted for Web PKI purposes.

Contains escrowed data String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebEncryption [0..1] [TBS]

Contains data escrowed using the offline escrow mechanism. String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebEncryption [0..1] [TBS]

Contains data escrowed using the online escrow mechanism. String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebEncryption [0..1] [TBS]

A set of escrowed keys. Key [0..Many] The escrowed keys.

Describes network connection parameters for an application String [0..1] DNS address of the server Integer [0..1] TCP/UDP Port number String [0..1] DNS service prefix as described in [RFC6335] String [0..Many] Describes the security mode to use. Valid choices are Direct/Upgrade/None String [0..1] Username to present to the service for authentication String [0..1] Password to present to the service for authentication String [0..1] Service connection parameters in URI format String [0..1] List of the supported/acceptable authentication mechanisms, preferred mechanism first. Integer [0..1] Service timeout in seconds. Boolean [0..1] If set, the client should poll the specified service intermittently for updates.

Container for JOSE encrypted data and related attributes. Binary [0..1] [TBS]

Container for JOSE signed data and related attributes. Binary [0..1] [TBS]

Container for public key pair data String [0..1] UDF fingerprint of the key Binary [0..1] List of X.509 Certificates Binary [0..Many] X.509 Certificate chain. Binary [0..1] X.509 Certificate Signing Request.

String [0..1] [TBS] SignedDeviceProfile [0..1] [TBS] String [0..1] [TBS]

String [0..1] [TBS] SignedDeviceProfile [0..1] [TBS] String [0..1] [TBS] String [0..1] [TBS]

Contains a signed connection request String [0..1] Globally unique identifier that remains constant for the lifetime of the entry. JoseWebSignature [0..1] The signed profile

Request: HelloRequest Response: HelloResponse Report service and version information. The Hello transaction provides a means of determining which protocol versions, message encodings and transport protocols are supported by the service.

Request: ValidateRequest Response: ValidateResponse Request validation of a proposed name for a new account. For validation of a user's account name during profile creation.

Request: CreateRequest Response: CreateResponse Request creation of a new mesh account. Unlike a profile, a mesh account is specific to a particular Mesh portal. A mesh account must be created and accepted before a profile can be published.

Request: PublishRequest Response: PublishResponse Publish a profile or key escrow entry to the mesh.

Request: GetRequest Response: GetResponse Search for data in the mesh that matches a set of keys.

Request: GetRequest Response: GetRecordsResponse

Request: TransferRequest Response: TransferResponse Request a bulk transfer of the log between the specified transaction identifiers. Requires appropriate authorization [Not currently implemented]

Request: StatusRequest Response: StatusResponse Request the current status of the mesh as seen by the portal to which it is directed. The response to the status request contains the last signed checkpoint and proof chains for each of the peer portals that have been checkpointed. [Not currently implemented]

Request: ConnectStartRequest Response: ConnectStartResponse Request connection of a new device to a mesh profile

Request: ConnectStatusRequest Response: ConnectStatusResponse Request status of pending connection request of a new device to a mesh profile

Request: ConnectPendingRequest Response: ConnectPendingResponse Request status of pending connection request of a new device to a mesh profile

Request: ConnectCompleteRequest Response: ConnectCompleteResponse Request status of pending connection request of a new device to a mesh profile

[None]

Version [0..1] Enumerates the protocol versions supported Version [0..Many] Enumerates alternate protocol version(s) supported

String [0..1] Account name requested Boolean [0..1] If true, request a reservation for the specified account name. Note that the service is not obliged to honor reservation requests. String [0..Many] List of ISO language codes in order of preference. For creating explanatory text.

Boolean [0..1] [TBS] Integer [0..1] [TBS] String [0..1] A list of characters from the requested account that the service does not accept in account names. String [0..1] Text explaining the reason an account name was rejected.

String [0..1] Account name requested

[None]

String [0..1] Lookup by profile ID String [0..1] Lookup by Account ID KeyValue [0..Many] List of KeyValue pairs specifying the conditions to be met DateTime [0..1] [TBS] DateTime [0..1] [TBS] Boolean [0..1] If true return multiple responses if available

[None]

DataItem [0..Many] List of mesh data records matching the request.

DateTime [0..1] DateTime [0..1] String [0..1] Integer [0..1] Integer [0..1]

[None]

DateTime [0..1] Time that the last write update was made to the Mesh DateTime [0..1] Time that the last Mesh checkpoint was calculated. DateTime [0..1] Time at which the next Mesh checkpoint should be calculated. String [0..1] Last checkpoint value.

SignedConnectionRequest [0..1] String [0..1]

String [0..1]

String [0..1] String [0..1]

SignedConnectionResult [0..1]

String [0..1]

SignedConnectionRequest [0..Many]

SignedConnectionResult [0..1] String [0..1]

[None]

Integer [0..1] Major version number of the service protocol. A higher Integer [0..1] Minor version number of the service protocol. Encoding [0..Many] Enumerates alternative encodings (e.g. ASN.1, XML, JSON-B) if supported by the server String [0..Many] The preferred URI for this service. This MAY be used to effect a redirect in the case that a service moves.

String [0..Many] The IANA encoding name String [0..Many] For encodings that employ a named dictionary for tag or data compression, the name of the dictionary as defined by that encoding scheme.

String [0..1] [TBS] String [0..1] [TBS]

DateTime [0..1] Time the pending item was created. DateTime [0..1] Time the pending item was last modified.

Entry containing the UniqueID is Account[Name]-[Portal] Indexed by [Name], [UserProfileUDF] [Most recent open] DateTime [0..1] Time the pending item was created. DateTime [0..1] Time the pending item was last modified. String [0..1] Assigned account identifier, e.g. 'alice@example.com'. Account names are not case sensitive. String [0..1] Fingerprint of associated user profile String [0..1] Status of the account, valid values are 'Open', 'Closed', 'Suspended'

DateTime [0..1] Time the pending item was created. DateTime [0..1] Time the pending item was last modified. String [0..1] Assigned account identifier, e.g. 'alice@example.com'. Account names are not case sensitive. String [0..1] Fingerprint of associated user profile String [0..1] Status of the account, valid values are 'Open', 'Closed', 'Suspended' SignedPersonalProfile [0..1] [TBS]

Object containing the list of currently pending device connection requests for the specified account. Unique-ID is ConnectionsPending-[UserProfileUDF] DateTime [0..1] Time the pending item was created. DateTime [0..1] Time the pending item was last modified. String [0..1] Assigned account identifier, e.g. 'alice@example.com'. Account names are not case sensitive. String [0..1] Fingerprint of associated user profile String [0..1] Status of the account, valid values are 'Open', 'Closed', 'Suspended' SignedConnectionRequest [0..Many] List of pending requests

TBS

All the IANA considerations for the Mesh documents are specified in this document