[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10

Network Working Group                                    P. Hallam-Baker
Internet-Draft                                         Comodo Group Inc.
Intended status: Standards Track                           March 7, 2016
Expires: September 8, 2016


                      Mathematical Mesh: Reference
                  draft-hallambaker-mesh-reference-02

Abstract

   The Mathematical Mesh 'The Mesh' is an end-to-end secure
   infrastructure that facilitates the exchange of configuration and
   credential data between multiple user devices.  The core protocols of
   the Mesh are described with examples of common use cases and
   reference data.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 8, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Hallam-Baker            Expires September 8, 2016               [Page 1]


Internet-Draft         Mathematical Mesh Reference            March 2016


1.  Introduction

   NB: The reference material in this document is generated from the
   schema used to derive the source code.  The tool used to create this
   material has not been optimized to produce output for the IETF
   documentation format at this time.  Consequently the formatting is
   currently sub-optimal.

2.  Definitions

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Architecture

3.1.  Data Model

3.1.1.  First Class Object

3.1.2.  Profile

   A profile is a first class object.  It has a globally unique
   identifier that provides an unambiguous reference to the profile in
   any situation.

3.1.3.  Record

   A record describes the state of an object at the completion of a
   specific Transaction.

3.1.4.  Transaction

   A transaction is an event in which the state of an object changes.
   Every transaction has a globally unique transaction identifier.
   Transaction identifiers are issued in a monotonic sequence such that
   a transaction that completes at time t1 will always have a lower
   transaction identifier than one that begins at time t2 where t2 > t1.

3.2.  Profile Types



      Master Profile

      Personal Profile



Hallam-Baker            Expires September 8, 2016               [Page 2]


Internet-Draft         Mathematical Mesh Reference            March 2016


      Application Profile

      Device Profile

3.3.  Master Profile

   The master profile contains the axioms of trust for a Mesh user.



      Identifier: "Master" + UDF Fingerprint of the Master Signing Key

      Signature: Master Signing Key  The key used to sign the profile
         MUST be MasterSigningKey

      Property: Master Signing Key  The Master Signing key is the
         ultimate trust axiom for the Master Profile.

      Property: Master Escrow Keys

      Property: Online Signature Keys

3.4.  Personal Profile



      Identifier: UDF Fingerprint of the Master Signing Key

      Signature: Online Signature Key  The key used to sign the profile
         MUST be a member of MasterProfile/OnlineSignatureKeys

      Property: Master Profile  The Master Profile that this personal
         profile is an instance of.

      Property: Devices

      Property: Applications  A list of application profile entries
         specifying which application profiles are attached to the
         personal profile

3.5.  Device Profile



      Identifier: UDF Fingerprint of the Device Signing Key

      Signature: Device Signing Key  The key used to sign the profile
         MUST be MasterSigningKey



Hallam-Baker            Expires September 8, 2016               [Page 3]


Internet-Draft         Mathematical Mesh Reference            March 2016


      Property: Device Signing Key  The Master Signing key is the
         ultimate trust axiom for the Master Profile.

      Property: Device Encryption Key

      Property: Device Authentication Key

3.6.  Application Profile



      Identifier: Randomly chosen

      Property: Encrypted Data

4.  Cryptographic Data Objects

4.1.  Public Key Objects

4.1.1.  Structure: PublicKey

   Container for public key pair data

   UDF: String (Optional)



      UDF fingerprint of the key

   X509Certificate: Binary (Optional)



      List of X.509 Certificates

   X509Chain: Binary [0..Many]



      X.509 Certificate chain.

   X509CSR: Binary (Optional)



      X.509 Certificate Signing Request.





Hallam-Baker            Expires September 8, 2016               [Page 4]


Internet-Draft         Mathematical Mesh Reference            March 2016


4.2.  JOSE Signature Objects

4.2.1.  Structure: SignedData

   Container for JOSE signed data and related attributes.

   Data: Binary (Optional)

4.3.  JOSE Encryption Objects

4.3.1.  Structure: EncryptedData

   Container for JOSE encrypted data and related attributes.

   Data: Binary (Optional)

5.  Mesh Profile Objects

5.1.  Base Profile Objects

5.1.1.  Structure: Entry

   Base class for all Mesh Profile objects.

   Identifier: String (Optional)



      Globally unique identifier that remains constant for the lifetime
      of the  entry.

5.1.2.  Structure: SignedProfile

   o

      *  Inherits: Entry

   Contains a signed profile entry

   SignedData: JoseWebSignature (Optional)



      The signed profile.

      Note that each child of SignedProfile requires that the Payload
      field of the SignedData object contain an object of a specific




Hallam-Baker            Expires September 8, 2016               [Page 5]


Internet-Draft         Mathematical Mesh Reference            March 2016


      type.  For example, a SignedDeviceProfile object MUST contain a
      Payload field that contains a DeviceProfile object.

5.1.3.  Structure: Profile

   o

      *  Inherits: Entry

   Parent class from which all profile types are derrived

   Names: String [0..Many]



      Fingerprints of index terms for profile retrieval.  The use of the
       fingerprint of the name rather than the name itself is a
      precaution against enumeration attacks and other forms of abuse.


   Updated: DateTime (Optional)



      The time instant the profile was last modified.

   NotaryToken: String (Optional)



      A Uniform Notary Token providing evidence that a signature was
      performed after the notary token was created.

5.2.  Device Profile Objects

5.2.1.  Structure: SignedDeviceProfile

   o

      *  Inherits: SignedProfile

   Contains a signed device profile

   [None]







Hallam-Baker            Expires September 8, 2016               [Page 6]


Internet-Draft         Mathematical Mesh Reference            March 2016


5.2.2.  Structure: DeviceProfile

   o

      *  Inherits: Profile

   Describes a mesh device.

   Description: String (Optional)



      Description of the device

   DeviceSignatureKey: PublicKey (Optional)



      Key used to sign certificates for the DAK and DEK.  The
      fingerprint of the DSK is the UniqueID of the Device Profile

   DeviceAuthenticationKey: PublicKey (Optional)



      Key used to authenticate requests made by the device.

   DeviceEncryptiontionKey: PublicKey (Optional)



      Key used to pass encrypted data to the device such as a
      DeviceUseEntry

5.2.3.  Structure: DevicePrivateProfile

   Private portion of device encryption profile.

   DeviceSignatureKey: Key (Optional)



      Private portion of the DeviceSignatureKey

   DeviceAuthenticationKey: Key (Optional)






Hallam-Baker            Expires September 8, 2016               [Page 7]


Internet-Draft         Mathematical Mesh Reference            March 2016


      Private portion of the DeviceAuthenticationKey

   DeviceEncryptiontionKey: Key (Optional)



      Private portion of the DeviceEncryptiontionKey

5.3.  Master Profile Objects

5.3.1.  Structure: SignedMasterProfile

   o

      *  Inherits: SignedProfile

   Contains a signed Personal master profile

   [None]

5.3.2.  Structure: MasterProfile

   o

      *  Inherits: Profile

   Describes the long term parameters associated with a personal
   profile.

   MasterSignatureKey: PublicKey (Optional)



      The root of trust for the Personal PKI, the public key of the PMSK
        is presented as a self-signed X.509v3 certificate with
      Certificate  Signing use enabled.  The PMSK is used to sign
      certificates for the  PMEK, POSK and PKEK keys.

   MasterEscrowKeys: PublicKey [0..Many]



      A Personal Profile MAY contain one or more PMEK keys to enable
      escrow  of private keys used for stored data.

   OnlineSignatureKeys: PublicKey [0..Many]





Hallam-Baker            Expires September 8, 2016               [Page 8]


Internet-Draft         Mathematical Mesh Reference            March 2016


      A Personal profile contains at least one POSK which is used to
      sign  device administration application profiles.

5.4.  Personal Profile Objects

5.4.1.  Structure: SignedPersonalProfile

   o

      *  Inherits: SignedProfile

   Contains a signed Personal current profile

   [None]

5.4.2.  Structure: PersonalProfile

   o

      *  Inherits: Profile

   Describes the current applications and devices connected to a
   personal master profile.

   SignedMasterProfile: SignedMasterProfile (Optional)



      The corresponding master profile.  The profile MUST be signed by
      the PMSK.

   Devices: SignedDeviceProfile [0..Many]



      The set of device profiles connected to the profile.  The profile
      MUST be signed by the DSK in the profile.

   Applications: ApplicationProfileEntry [0..Many]



      Application profiles connected to this profile.








Hallam-Baker            Expires September 8, 2016               [Page 9]


Internet-Draft         Mathematical Mesh Reference            March 2016


5.5.  Application Profile Objects

5.5.1.  Structure: SignedApplicationProfile

   o

      *  Inherits: SignedProfile

   Contains a signed device profile

   [None]

5.5.2.  Structure: EncryptedProfile

   o

      *  Inherits: Entry

   Contains an encrypted profile entry

   EncryptedData: JoseWebEncryption (Optional)



      The signed and encrypted profile

5.5.3.  Structure: ApplicationProfile

   o

      *  Inherits: Profile

   Parent class from which all application profiles inherit.

   EncryptedData: JoseWebEncryption (Optional)



      Encrypted application data

5.5.4.  Structure: ApplicationProfileEntry

   Identifier: String (Optional)



      The unique identifier of the application




Hallam-Baker            Expires September 8, 2016              [Page 10]


Internet-Draft         Mathematical Mesh Reference            March 2016


   Type: String (Optional)



      The application type

   Friendly: String (Optional)



      Optional friendly name identifying the application.

   SignID: String [0..Many]



      List of devices authorized to sign application profiles

   DecryptID: String [0..Many]



      List of devices authorized to read private parts of application
      profiles

5.6.  Common Application Objects

5.6.1.  Structure: Connection

   Describes network connection parameters for an application

   ServiceName: String (Optional)



      DNS address of the server

   Port: Integer (Optional)



      TCP/UDP Port number

   Prefix: String (Optional)



      DNS service prefix as described in [RFC6335]



Hallam-Baker            Expires September 8, 2016              [Page 11]


Internet-Draft         Mathematical Mesh Reference            March 2016


   Security: String [0..Many]



      Describes the security mode to use.  Valid choices are
      Direct/Upgrade/None

   UserName: String (Optional)



      Username to present to the service for authentication

   Password: String (Optional)



      Password to present to the service for authentication

   URI: String (Optional)



      Service connection parameters in URI format

   Authentication: String (Optional)



      List of the supported/acceptable authentication mechanisms,
      preferred mechanism first.

   TimeOut: Integer (Optional)



      Service timeout in seconds.

   Polling: Boolean (Optional)



      If set, the client should poll the specified service
      intermittently for updates.







Hallam-Baker            Expires September 8, 2016              [Page 12]


Internet-Draft         Mathematical Mesh Reference            March 2016


5.7.  Password Application Profile Objects

5.7.1.  Structure: PasswordProfile

   o

      *  Inherits: ApplicationProfile

   Stores usernames and passwords

   [None]

5.7.2.  Structure: PasswordProfilePrivate

   Entries: PasswordEntry [0..Many]

5.7.3.  Structure: PasswordEntry

   Username password entry for a single site

   Sites: String [0..Many]



      DNS name of site *.example.com matches www.example.com etc.

   Username: String (Optional)



      Case sensitive username

   Password: String (Optional)



      Case sensitive password.

5.8.  Mail Application Profile Objects

5.8.1.  Structure: MailProfile

   o

      *  Inherits: ApplicationProfile

   Public profile describes mail receipt policy.  Private describes
   Sending policy



Hallam-Baker            Expires September 8, 2016              [Page 13]


Internet-Draft         Mathematical Mesh Reference            March 2016


   EncryptionPGP: PublicKey (Optional)



      The current OpenPGP encryption key

   EncryptionSMIME: PublicKey (Optional)



      The current S/MIME encryption key

5.8.2.  Structure: MailProfilePrivate

   Describes a mail account configuration

   Private profile contains connection settings for the inbound and
   outbound mail server(s) and cryptographic private keys.  Public
   profile may contain security policy information for the sender.

   EmailAddress: String (Optional)



      The RFC822 Email address. [e.g. "alice@example.com"]

   ReplyToAddress: String (Optional)



      The RFC822 Reply toEmail address. [e.g. "alice@example.com"]

      When set, allows a sender to tell the receiver that replies to
      this account should be directed to this address.

   DisplayName: String (Optional)



      The Display Name. [e.g.  "Alice Example"]

   AccountName: String (Optional)



      The Account Name for display to the app user [e.g.  "Work
      Account"]




Hallam-Baker            Expires September 8, 2016              [Page 14]


Internet-Draft         Mathematical Mesh Reference            March 2016


   Inbound: Connection [0..Many]



      The Inbound Mail Connection(s).  This is typically IMAP4 or POP3


      If multiple connections are specified, the order in the sequence
      indicates the preference order.

   Outbound: Connection [0..Many]



      The Outbound Mail Connection(s).  This is typically SMTP/SUBMIT

      If multiple connections are specified, the order in the sequence
      indicates the preference order.

   Sign: PublicKey [0..Many]



      The public keypair(s) for signing and decrypting email.

      If multiple public keys are specified, the order indicates
      preference.

   Encrypt: PublicKey [0..Many]



      The public keypairs for encrypting and decrypting email.

      If multiple public keys are specified, the order indicates
      preference.

5.9.  Network Application Profile Objects

5.9.1.  Structure: NetworkProfile

   o

      *  Inherits: ApplicationProfile

   Describes the network profile to follow

   [None]



Hallam-Baker            Expires September 8, 2016              [Page 15]


Internet-Draft         Mathematical Mesh Reference            March 2016


5.9.2.  Structure: NetworkProfilePrivate

   Describes the network profile to follow

   Sites: String [0..Many]



      DNS name of sites to which profile applies *.example.com matches
      www.example.com etc.

   DNS: Connection [0..Many]



      DNS Resolution Services

   Prefix: String [0..Many]



      DNS prefixes to search

   CTL: Binary (Optional)



      Certificate Trust List giving WebPKI roots to trust

   WebPKI: String [0..Many]



      List of UDF fingerprints of keys making up the trust roots to be
      accepted for Web PKI purposes.

5.10.  Key Escrow Objects

5.10.1.  Structure: EscrowEntry

   o

      *  Inherits: Entry

   Contains escrowed data

   EncryptedData: JoseWebEncryption (Optional)




Hallam-Baker            Expires September 8, 2016              [Page 16]


Internet-Draft         Mathematical Mesh Reference            March 2016


5.10.2.  Structure: OfflineEscrowEntry

   o

      *  Inherits: EscrowEntry

   Contains data escrowed using the offline escrow mechanism.

   [None]

5.10.3.  Structure: OnlineEscrowEntry

   o

      *  Inherits: EscrowEntry

   Contains data escrowed using the online escrow mechanism.

   [None]

5.10.4.  Structure: EscrowedKeySet

   A set of escrowed keys.

   PrivateKeys: Key [0..Many]



      The escrowed keys.

6.  Portal Connection

6.1.  Connection Request and Response Structures

6.1.1.  Structure: ConnectionRequest

   Describes a connection request.

   ParentUDF: String (Optional)



      UDF of Mesh Profile to which connection is requested.

   Device: SignedDeviceProfile (Optional)






Hallam-Baker            Expires September 8, 2016              [Page 17]


Internet-Draft         Mathematical Mesh Reference            March 2016


      The Device profile to be connected

6.1.2.  Structure: SignedConnectionRequest

   o

      *  Inherits: SignedProfile

   Contains a ConnectionRequest signed by the corresponding device
   signature key.

   [None]

6.1.3.  Structure: ConnectionResult

   Describes the result of a connection request.

   o

      *  Inherits: ConnectionRequest

   Result: String (Optional)



      The result of the connection request.  Valid responses are:
      Accepted, Refused, Query.

6.1.4.  Structure: SignedConnectionResult

   o

      *  Inherits: SignedProfile

   Contains a signed connection result

   [None]

7.  Mesh Portal Service Reference

   SRV Prefix:



      _mmm._tcp

   HTTP Well Known Service Prefix:




Hallam-Baker            Expires September 8, 2016              [Page 18]


Internet-Draft         Mathematical Mesh Reference            March 2016


      /.well-known/mmm

   Every Mesh Portal Service transaction consists of exactly one request
   followed by exactly one response.  Mesh Service transactions MAY
   cause modification of the data stored in the Mesh Portal or the Mesh
   itself but do not cause changes to the connection state.  The
   protocol itself is thus idempotent.  There is no set sequence in
   which operations are required to be performed.  It is not necessary
   to perform a Hello transaction prior to a ValidateAccount, Publish or
   any other transaction.

7.1.  Request Messages

   A Mesh Portal Service request consists of a payload object that
   inherits from the MeshRequest class.  When using the HTTP binding,
   the request MUST specify the portal DNS address in the HTTP Host
   field.

7.1.1.  Message: MeshRequest

   Base class for all request objects.

   Portal: String (Optional)



      Name of the Mesh Portal Service to which the request  is directed.


7.2.  Response Messages

   A Mesh Portal Service response consists of a payload object that
   inherits from the MeshResponse class.  When using the HTTP binding,
   the response SHOULD report the Status response code in the HTTP
   response message.  However the response code returned in the payload
   object MUST always be considered authoritative.

7.2.1.  Message: MeshResponse

   Base class for all responses.  Contains only the status code and
   status description fields.

   A service MAY return either the response message specified for that
   transaction or any parent of that message.  Thus the MeshResponse
   message MAY be returned in response to any request.

   Status: Integer (Optional)




Hallam-Baker            Expires September 8, 2016              [Page 19]


Internet-Draft         Mathematical Mesh Reference            March 2016


      Status return code.  The SMTP/HTTP scheme of 2xx = Success, 3xx =
      incomplete, 4xx = failure is followed.

   StatusDescription: String (Optional)



      Text description of the status return code for debugging  and log
      file use.

7.2.2.  Successful Response Codes

   The following response codes are returned when a transaction has
   completed successfully.

   1.

       1.  SuccessOK

   2.

       Operation completed successfully

   3.

       1.  SuccessCreated

   4.

       Operation completed successfully, new data item created

   5.

       1.  SuccessUpdated

   6.

       Operation completed successfully, data item was updated

7.2.3.  Warning Response Codes

   The following response codes are returned when a transaction did not
   complete because the target service has been redirected.

   In the case that a redirect code is returned, the StatusDescription
   field contains the URI of the new service.  Note however that the
   redirect location indicated in a status response might be incorrect




Hallam-Baker            Expires September 8, 2016              [Page 20]


Internet-Draft         Mathematical Mesh Reference            March 2016


   or even malicious and cannot be considered trustworthy without
   appropriate authentication.

   1.

       1.  RedirectPermanent

   2.

       Service has been permanently moved

   3.

       1.  RedirectTemporary

   4.

       Service has been temporarily moved

7.2.4.  Error Response Codes

   A response code in the range 400-499 is returned when the service was
   able to process the transaction but the transaction resulted in an
   error.

   1.

       1.  ClientUnauthorized

   2.

       Client is not authorized to perform specified request

   3.

       1.  NotFound

   4.

       The requested object could not be found.

   5.

       1.  AlreadyExists

   6.

       The requested object already exists.



Hallam-Baker            Expires September 8, 2016              [Page 21]


Internet-Draft         Mathematical Mesh Reference            March 2016


7.2.5.  Failure Response Codes

   A response code in the range 500-599 is returned when the service was
   unable to process the transaction but the transaction due to an
   internal failure.

   1.

       1.  ServerInternal

   2.

       An internal error occurred at the server

   3.

       1.  ServerOverload

   4.

       The server cannot handle the request as it is overloaded

7.3.  Imported Objects

   The Mesh Service protocol makes use of JSON objects defined in the
   JOSE Signatgure and Encryption specifications.

7.4.  Common Structures

   The following common structures are used in the protocol messages:

7.4.1.  Structure: Version

   Describes a protocol version.

   Major: Integer (Optional)



      Major version number of the service protocol.  A higher

   Minor: Integer (Optional)



      Minor version number of the service protocol.

   Encodings: Encoding [0..Many]



Hallam-Baker            Expires September 8, 2016              [Page 22]


Internet-Draft         Mathematical Mesh Reference            March 2016


      Enumerates alternative encodings (e.g.  ASN.1, XML, JSON-B)
      supported by the service.  If no encodings are specified, the JSON
       encoding is assumed.

   URI: String [0..Many]



      The preferred URI for this service.  This MAY be used to effect a
      redirect in the case that a service moves.

7.4.2.  Structure: Encoding

   Describes a message content encoding.

   ID: String [0..Many]



      The IANA encoding name

   Dictionary: String [0..Many]



      For encodings that employ a named dictionary for tag or data
      compression, the name of the dictionary as defined by that
      encoding scheme.

7.4.3.  Structure: KeyValue

   Describes a Key/Value structure used to make queries for records
   matching one or more selection criteria.

   Key: String (Optional)



      The data retrieval key.

   Value: String (Optional)



      The data value to match.






Hallam-Baker            Expires September 8, 2016              [Page 23]


Internet-Draft         Mathematical Mesh Reference            March 2016


7.4.4.  Structure: SearchConstraints

   Specifies constraints to be applied to a search result.  These allow
   a client to limit the number of records returned, the quantity of
   data returned, the earliest and latest data returned, etc.

   NotBefore: DateTime (Optional)



      Only data published on or after the specified time instant  is
      requested.

   Before: DateTime (Optional)



      Only data published before the specified time instant is
      requested.  This excludes data published at the specified time
      instant.

   MaxEntries: Integer (Optional)



      Maximum number of data entries to return.

   MaxBytes: Integer (Optional)



      Maximum number of data bytes to return.

   PageKey: String (Optional)



      Specifies a page key returned in a previous search operation in
      which the number of responses exceeded the specified bounds.

      When a page key is specified, all the other search parameters
      except for MaxEntries and MaxBytes are ignored and the service
      returns the next set of data responding to the earlier query.








Hallam-Baker            Expires September 8, 2016              [Page 24]


Internet-Draft         Mathematical Mesh Reference            March 2016


7.5.  Transaction: Hello

   Request: HelloRequest

   Response:HelloResponse

   Report service and version information.

   The Hello transaction provides a means of determining which protocol
   versions, message encodings and transport protocols are supported by
   the service.

7.5.1.  Message: HelloRequest

   o

      *  Inherits: MeshRequest

   [None]

7.5.2.  Message: HelloResponse

   Always reports success.  Describes the configuration of the Mesh
   portal service.

   o

      *  Inherits: MeshResponse

   Version: Version (Optional)



      Enumerates the protocol versions supported

   Alternates: Version [0..Many]



      Enumerates alternate protocol version(s) supported

7.6.  Transaction: ValidateAccount

   Request: ValidateRequest

   Response:ValidateResponse

   Request validation of a proposed name for a new account.



Hallam-Baker            Expires September 8, 2016              [Page 25]


Internet-Draft         Mathematical Mesh Reference            March 2016


   For validation of a user's account name during profile creation.

7.6.1.  Message: ValidateRequest

   o

      *  Inherits: MeshRequest

   Describes the proposed account properties.  Currently, these are
   limited to the account name but could be extended in future versions
   of the protocol.

   Account: String (Optional)



      Account name requested

   Reserve: Boolean (Optional)



      If true, request a reservation for the specified account name.
      Note that the service is not obliged to honor reservation
      requests.

   Language: String [0..Many]



      List of ISO language codes in order of preference.  For creating
      explanatory text.

7.6.2.  Message: ValidateResponse

   o

      *  Inherits: MeshResponse

   States whether the proposed account properties are acceptable and
   (optional) returns an indication of what properties are valid.

   Note that receiving a 'Valid' responseto a Validate Request does not
   guarantee creation of the account.  In addition to the possibility
   that the account namecould be requested by another user between the
   Validate and Create transactions, a portal service MAY perform more
   stringent validation criteria when an account is actually being




Hallam-Baker            Expires September 8, 2016              [Page 26]


Internet-Draft         Mathematical Mesh Reference            March 2016


   created.  For example, checking with the authoritative list of
   current accounts rather than a cached copy.

   Valid: Boolean (Optional)



      If true, the specified account identifier is acceptable.  If
      false, the account identifier is rejected.

   Minimum: Integer (Optional)



      Specifies the minimum length of an account name.

   Maximum: Integer (Optional)



      Specifies the maximum length of an account name.

   InvalidCharacters: String (Optional)



      A list of characters that the service  does not accept in account
      names.  The list of characters  MAY not be exhaustive but SHOULD
      include any illegal characters in the proposed account name.

   Reason: String (Optional)



      Text explaining the reason an account name was rejected.

7.7.  Transaction: CreateAccount

   Request: CreateRequest

   Response:CreateResponse

   Request creation of a new portal account.

   Unlike a profile, a mesh account is specific to a particular Mesh
   portal.  A mesh account must be created and accepted before a profile
   can be published.




Hallam-Baker            Expires September 8, 2016              [Page 27]


Internet-Draft         Mathematical Mesh Reference            March 2016


7.7.1.  Message: CreateRequest

   Request creation of a new portal account.  The request specifies the
   requested account identifier and the Mesh profile to be associated
   with the account.

   o

      *  Inherits: MeshRequest

   Account: String (Optional)



      Account identifier requested.

7.7.2.  Message: CreateResponse

   o

      *  Inherits: MeshResponse

   Reports the success or failure of a Create transaction.

   [None]

7.8.  Transaction: Get

   Request: GetRequest

   Response:GetResponse

   Search for data in the mesh that matches a set of properties
   described by a sequence of key/value pairs.

7.8.1.  Message: GetRequest

   Describes the Portal or Mesh data to be retreived.

   o

      *  Inherits: MeshRequest

   Identifier: String (Optional)



      Lookup by profile ID



Hallam-Baker            Expires September 8, 2016              [Page 28]


Internet-Draft         Mathematical Mesh Reference            March 2016


   Account: String (Optional)



      Lookup by Account ID

   KeyValues: KeyValue [0..Many]



      List of KeyValue pairs specifying the conditions to be met

   SearchConstraints: SearchConstraints (Optional)



      Constrain the search to a specific time interval and/or  limit the
       number and/or total size of data records returned.

   Multiple: Boolean (Optional)



      If true return multiple responses if available

   Full: Boolean (Optional)



      If true, the client requests that the full Mesh data record be
      returned containing both the Mesh entry itself and the Mesh
      metadata that allows the date and time of the publication of the
      Mesh entry to be verified.

7.8.2.  Message: GetResponse

   Reports the success or failure of a Get transaction.  If a Mesh entry
   matching the specified profile is found, containsthe list of entries
   matching the request.

   o

      *  Inherits: MeshResponse

   DataItems: DataItem [0..Many]






Hallam-Baker            Expires September 8, 2016              [Page 29]


Internet-Draft         Mathematical Mesh Reference            March 2016


      List of mesh data records matching the request.

   PageKey: String (Optional)



      If non-null, indicates that the number and/or size of the data
      records returned exceeds either the SearchConstraints specified in
       the request or internal server limits.

7.9.  Transaction: Publish

   Request: PublishRequest

   Response:PublishResponse

   Publish a profile or key escrow entry to the mesh.

7.9.1.  Message: PublishRequest

   Requests publication of the specified Mesh entry.

   o

      *  Inherits: MeshRequest

   [None]

7.9.2.  Message: PublishResponse

   Reports the success or failure of a Publish transaction.

   o

      *  Inherits: MeshResponse

   [None]

7.10.  Transaction: Status

   Request: StatusRequest

   Response:StatusResponse

   Request the current status of the mesh as seen by the portal to which
   it is directed.





Hallam-Baker            Expires September 8, 2016              [Page 30]


Internet-Draft         Mathematical Mesh Reference            March 2016


   The response to the status request contains the last signed
   checkpoint and proof chains for each of the peer portals that have
   been checkpointed.

   [Not currently implemented]

7.10.1.  Message: StatusRequest

   o

      *  Inherits: MeshRequest

   Initiates a status transaction.

   [None]

7.10.2.  Message: StatusResponse

   Reports the success or failure of a Status transaction.

   o

      *  Inherits: MeshResponse

   LastWriteTime: DateTime (Optional)



      Time that the last write update was made to the Mesh

   LastCheckpointTime: DateTime (Optional)



      Time that the last Mesh checkpoint was calculated.

   NextCheckpointTime: DateTime (Optional)



      Time at which the next Mesh checkpoint should be calculated.

   CheckpointValue: String (Optional)



      Last checkpoint value.




Hallam-Baker            Expires September 8, 2016              [Page 31]


Internet-Draft         Mathematical Mesh Reference            March 2016


7.11.  Transaction: ConnectStart

   Request: ConnectStartRequest

   Response:ConnectStartResponse

   Request connection of a new device to a mesh profile

7.11.1.  Message: ConnectStartRequest

   o

      *  Inherits: MeshRequest

   Initial device connection request.

   SignedRequest: SignedConnectionRequest (Optional)



      Device connection request signed by thesignature key of the
      device requesting connection.

   AccountID: String (Optional)



      Account identifier of account to which the device is requesting
      connection.

7.11.2.  Message: ConnectStartResponse

   Reports the success or failure of a ConnectStart transaction.

   o

      *  Inherits: MeshRequest

   [None]

7.12.  Transaction: ConnectStatus

   Request: ConnectStatusRequest

   Response:ConnectStatusResponse

   Request status of pending connection request of a new device to a
   mesh profile



Hallam-Baker            Expires September 8, 2016              [Page 32]


Internet-Draft         Mathematical Mesh Reference            March 2016


7.12.1.  Message: ConnectStatusRequest

   o

      *  Inherits: MeshRequest

   Request status information for a pending request posted previously.

   AccountID: String (Optional)



      Account identifier for which pending connection information is
      requested.

   DeviceID: String (Optional)



      Device identifier of device requesting status information.

7.12.2.  Message: ConnectStatusResponse

   Reports the success or failure of a ConnectStatus transaction.

   o

      *  Inherits: MeshRequest

   Result: SignedConnectionResult (Optional)



      The signed ConnectionResult object.

7.13.  Transaction: ConnectPending

   Request: ConnectPendingRequest

   Response:ConnectPendingResponse

   Request a list of pending requests for an administration profile.

7.13.1.  Message: ConnectPendingRequest

   o

      *  Inherits: MeshRequest



Hallam-Baker            Expires September 8, 2016              [Page 33]


Internet-Draft         Mathematical Mesh Reference            March 2016


   Specify the criteria for pending requests.

   AccountID: String (Optional)



      The account identifier of the account for which pending connection
       requests are requested.

   SearchConstraints: SearchConstraints (Optional)



      Constrain the search to a specific time interval and/or  limit the
       number and/or total size of data records returned.

7.13.2.  Message: ConnectPendingResponse

   Reports the success or failure of a ConnectPending transaction.

   o

      *  Inherits: MeshRequest

   Pending: SignedConnectionRequest [0..Many]



      A list of pending requests satisfying the criteria set out in the
      request.

   PageKey: String (Optional)



      If non-null, indicates that the number and/or size of the data
      records returned exceeds either the SearchConstraints specified in
       the request or internal server limits.

7.14.  Transaction: ConnectComplete

   Request: ConnectCompleteRequest

   Response:ConnectCompleteResponse

   Post response to a pending connection request.





Hallam-Baker            Expires September 8, 2016              [Page 34]


Internet-Draft         Mathematical Mesh Reference            March 2016


7.14.1.  Message: ConnectCompleteRequest

   Reports the success or failure of a ConnectComplete transaction.

   o

      *  Inherits: MeshRequest

   Result: SignedConnectionResult (Optional)



      The connection result to be posted to the portal.  The result MUST
       be signed by a valid administration key for the Mesh profile.

   AccountID: String (Optional)



      The account identifier to which the connection result is posted.


7.14.2.  Message: ConnectCompleteResponse

   o

      *  Inherits: MeshRequest

   Reports the success or failure of a ConnectComplete transaction.

   [None]

7.15.  Transaction: Transfer

   Request: TransferRequest

   Response:TransferResponse

   Request a bulk transfer of the log between the specified transaction
   identifiers.  Requires appropriate authorization

   [Not currently implemented]

7.15.1.  Message: TransferRequest

   o

      *  Inherits: MeshRequest



Hallam-Baker            Expires September 8, 2016              [Page 35]


Internet-Draft         Mathematical Mesh Reference            March 2016


   SearchConstraints: SearchConstraints (Optional)



      Constrain the search to a specific time interval and/or  limit the
       number and/or total size of data records returned.

7.15.2.  Message: TransferResponse

   o

      *  Inherits: MeshResponse

   Reports the success or failure of a Transfer transaction.  If
   successful, contains the list of Mesh records to be transferred.

   DataItems: DataItem [0..Many]



      List of mesh data records matching the request.

   PageKey: String (Optional)



      If non-null, indicates that the number and/or size of the data
      records returned exceeds either the SearchConstraints specified in
       the request or internal server limits.

8.  Mesh Portal Objects

   The precise implementation of the portal service and the data
   structures representing state at the portal service are outside the
   scope of this specification.

   The specification of the Mesh Portal objects given here is to enable
   future formal specification of the portal protocols by defining the
   state changes resulting from portal transactions.

8.1.  Mesh Portal Log Entries

   Like the Mesh itself, the state of the portal is tracked by an append
   only log.  This log contains entries binding account identifiers to
   mesh profiles and lists of pending connections.






Hallam-Baker            Expires September 8, 2016              [Page 36]


Internet-Draft         Mathematical Mesh Reference            March 2016


8.1.1.  Structure: PortalEntry

   Created: DateTime (Optional)



      Time the pending item was created.

   Modified: DateTime (Optional)



      Time the pending item was last modified.

8.1.2.  Structure: Account

   Entry containing the UniqueID is Account[Name]-[Portal] Indexed by
   [Name], [UserProfileUDF] [Most recent open]

   o

      *  Inherits: PortalEntry

   AccountID: String (Optional)



      Assigned account identifier, e.g. 'alice@example.com'.  Account
      names are  not case sensitive.

   UserProfileUDF: String (Optional)



      Fingerprint of associated user profile

   Status: String (Optional)



      Status of the account, valid values are 'Open', 'Closed',
      'Suspended'

8.1.3.  Structure: AccountProfile

   o

      *  Inherits: Account



Hallam-Baker            Expires September 8, 2016              [Page 37]


Internet-Draft         Mathematical Mesh Reference            March 2016


   Profile: SignedPersonalProfile (Optional)



      The personal profile associated with the account.

8.1.4.  Structure: ConnectionsPending

   Object containing the list of currently pending device connection
   requests for the specified account.  Unique-ID is
   ConnectionsPending-[UserProfileUDF]

   o

      *  Inherits: Account

   Requests: SignedConnectionRequest [0..Many]



      List of pending requests

9.  Security Considerations

   TBS

9.1.  Confidentiality

9.2.  Integrity

9.3.  Service

10.  IANA Considerations

   All the IANA considerations for the Mesh documents are specified in
   this document

11.  Acknowledgements

12.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997.







Hallam-Baker            Expires September 8, 2016              [Page 38]


Internet-Draft         Mathematical Mesh Reference            March 2016


   [RFC6335]  Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
              Cheshire, "Internet Assigned Numbers Authority (IANA)
              Procedures for the Management of the Service Name and
              Transport Protocol Port Number Registry", BCP 165,
              RFC 6335, DOI 10.17487/RFC6335, August 2011.

Author's Address

   Phillip Hallam-Baker
   Comodo Group Inc.

   Email: philliph@comodo.com







































Hallam-Baker            Expires September 8, 2016              [Page 39]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/