Skip to main content

Mathematical Mesh: Client-Service Profiles
draft-hallambaker-mesh-reference-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Author Phillip Hallam-Baker
Last updated 2016-01-13
RFC stream (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-hallambaker-mesh-reference-00
Network Working Group                                    P. Hallam-Baker
Internet-Draft                                         Comodo Group Inc.
Intended status: Standards Track                        January 14, 2016
Expires: July 17, 2016

               Mathematical Mesh: Client-Service Profiles
                  draft-hallambaker-mesh-reference-00

Abstract

   The Mathematical Mesh ?The Mesh? is an end-to-end secure
   infrastructure that facilitates the exchange of configuration and
   credential data between multiple user devices.  The core protocols of
   the Mesh are described with examples of common use cases and
   reference data.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 17, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Hallam-Baker              Expires July 17, 2016                 [Page 1]
Internet-Draft            Mathematical Mesh CSP             January 2016

1.  Introduction

   NB: The reference material in this document is generated from the
   schema used to derive the source code.  The tool used to create this
   material has not been optimized to produce output for the IETF
   documentation format at this time.  Consequently the formatting is
   currently sub-optimal.

2.  Definitions

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Use Scenarios

3.1.  Create Profile

3.2.  Connect Device

3.3.  Add Application

3.4.  Update Application

3.5.  Delete Device

3.6.  Key Recovery

4.  Architecture

4.1.  Data Model

4.1.1.  First Class Object

4.1.2.  Profile

   A profile is a first class object.  It has a globally unique
   identifier that provides an unambiguous reference to the profile in
   any situation.

4.1.3.  Record

   A record describes the state of an object at the completion of a
   specific Transaction.

Hallam-Baker              Expires July 17, 2016                 [Page 2]
Internet-Draft            Mathematical Mesh CSP             January 2016

4.1.4.  Transaction

   A transaction is an event in which the state of an object changes.
   Every transaction has a globally unique transaction identifier.
   Transaction identifiers are issued in a monotonic sequence such that
   a transaction that completes at time t1 will always have a lower
   transaction identifier than one that begins at time t2 where t2 > t1.

4.2.  Profile Types

      Master Profile

      Personal Profile

      Application Profile

      Device Profile

4.3.  03627755Figure SEQ Figure \* ARABIC 1: Relationship of Profile
      TypesFigure SEQ Figure \* ARABIC 1: Relationship of Profile
      TypesMaster Profile

   The master profile contains the axioms of trust for a Mesh user.

      Identifier: ?Master? + UDF Fingerprint of the Master Signing Key

      Signature: Master Signing Key  The key used to sign the profile
         MUST be MasterSigningKey

      Property: Master Signing Key  The Master Signing key is the
         ultimate trust axiom for the Master Profile.

      Property: Master Escrow Keys

      Property: Online Signature Keys

4.4.  Personal Profile

      Identifier: UDF Fingerprint of the Master Signing Key

      Signature: Online Signature Key  The key used to sign the profile
         MUST be a member of MasterProfile/OnlineSignatureKeys

Hallam-Baker              Expires July 17, 2016                 [Page 3]
Internet-Draft            Mathematical Mesh CSP             January 2016

      Property: Master Profile  The Master Profile that this personal
         profile is an instance of.

      Property: Devices

      Property: Applications  A list of application profile entries
         specifying which application profiles are attached to the
         personal profile

4.5.  Device Profile

      Identifier: UDF Fingerprint of the Device Signing Key

      Signature: Device Signing Key  The key used to sign the profile
         MUST be MasterSigningKey

      Property: Device Signing Key  The Master Signing key is the
         ultimate trust axiom for the Master Profile.

      Property: Device Encryption Key

      Property: Device Authentication Key

4.6.  Application Profile

      Identifier: Randomly chosen

      Property: Encrypted Data

5.  MeshItem

5.1.  MeshItem Transactions

5.2.  MeshItem Messages

5.3.  MeshItem Structures

5.3.1.  Structure: Entry

      Identifier :   String [0..1]

Hallam-Baker              Expires July 17, 2016                 [Page 4]
Internet-Draft            Mathematical Mesh CSP             January 2016

   Globally unique identifier that remains constant for the lifetime of
   the entry.

5.3.2.  Structure: SignedProfile

   Contains a signed profile entry

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      SignedData :   JoseWebSignature [0..1]

   The signed profile

5.3.3.  Structure: SignedDeviceProfile

   Contains a signed device profile

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      SignedData :   JoseWebSignature [0..1]

   The signed profile

5.3.4.  Structure: SignedMasterProfile

   Contains a signed Personal master profile

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

Hallam-Baker              Expires July 17, 2016                 [Page 5]
Internet-Draft            Mathematical Mesh CSP             January 2016

      SignedData :   JoseWebSignature [0..1]

   The signed profile

5.3.5.  Structure: SignedPersonalProfile

   Contains a signed Personal current profile

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      SignedData :   JoseWebSignature [0..1]

   The signed profile

5.3.6.  Structure: SignedApplicationProfile

   Contains a signed device profile

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      SignedData :   JoseWebSignature [0..1]

   The signed profile

5.3.7.  Structure: EncryptedProfile

   Contains an encrypted profile entry

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

Hallam-Baker              Expires July 17, 2016                 [Page 6]
Internet-Draft            Mathematical Mesh CSP             January 2016

      EncryptedData :   JoseWebEncryption [0..1]

   The signed and encrypted profile

5.3.8.  Structure: Profile

   Parent class from which all profile types are derrived

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      Names :   String [0..Many]

   Fingerprints of index terms for profile retrieval.  The use of the
   fingerprint of the name rather than the name itself is a precaution
   against enumeration attacks and other forms of abuse.

      Updated :   DateTime [0..1]

   The time instant the profile was last modified.

      NotaryToken :   String [0..1]

   A Uniform Notary Token providing evidence that a signature was
   performed after the notary token was created.

5.3.9.  Structure: MasterProfile

   Describes the long term parameters associated with a personal
   profile.

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

Hallam-Baker              Expires July 17, 2016                 [Page 7]
Internet-Draft            Mathematical Mesh CSP             January 2016

      Names :   String [0..Many]

   Fingerprints of index terms for profile retrieval.  The use of the
   fingerprint of the name rather than the name itself is a precaution
   against enumeration attacks and other forms of abuse.

      Updated :   DateTime [0..1]

   The time instant the profile was last modified.

      NotaryToken :   String [0..1]

   A Uniform Notary Token providing evidence that a signature was
   performed after the notary token was created.

      MasterSignatureKey :   PublicKey [0..1]

   The root of trust for the Personal PKI, the public key of the PMSK is
   presented as a self-signed X.509v3 certificate with Certificate
   Signing use enabled.  The PMSK is used to sign certificates for the
   PMEK, POSK and PKEK keys.

      MasterEscrowKeys :   PublicKey [0..Many]

   A Personal Profile MAY contain one or more PMEK keys to enable escrow
   of private keys used for stored data.

      OnlineSignatureKeys :   PublicKey [0..Many]

   A Personal profile contains at least one POSK which is used to sign
   device administration application profiles.

5.3.10.  Structure: PersonalProfile

   Describes the current applications and devices connected to a
   personal master profile.

Hallam-Baker              Expires July 17, 2016                 [Page 8]
Internet-Draft            Mathematical Mesh CSP             January 2016

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      Names :   String [0..Many]

   Fingerprints of index terms for profile retrieval.  The use of the
   fingerprint of the name rather than the name itself is a precaution
   against enumeration attacks and other forms of abuse.

      Updated :   DateTime [0..1]

   The time instant the profile was last modified.

      NotaryToken :   String [0..1]

   A Uniform Notary Token providing evidence that a signature was
   performed after the notary token was created.

      SignedMasterProfile :   SignedMasterProfile [0..1]

   The corresponding master profile.  The profile MUST be signed by the
   PMSK.

      Devices :   SignedDeviceProfile [0..Many]

   The set of device profiles connected to the profile.  The profile
   MUST be signed by the DSK in the profile.

      Applications :   ApplicationProfileEntry [0..Many]

   Application profiles connected to this profile.

Hallam-Baker              Expires July 17, 2016                 [Page 9]
Internet-Draft            Mathematical Mesh CSP             January 2016

5.3.11.  Structure: ApplicationProfileEntry

      Identifier :   String [0..1]

   The unique identifier of the application

      Type :   String [0..1]

   The application type

      Friendly :   String [0..1]

   Optional friendly name identifying the application.

      SignID :   String [0..Many]

   List of devices authorized to sign application profiles

      DecryptID :   String [0..Many]

   List of devices authorized to read private parts of application
   profiles

5.3.12.  Structure: DeviceProfile

   Describes a mesh device.

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      Names :   String [0..Many]

Hallam-Baker              Expires July 17, 2016                [Page 10]
Internet-Draft            Mathematical Mesh CSP             January 2016

   Fingerprints of index terms for profile retrieval.  The use of the
   fingerprint of the name rather than the name itself is a precaution
   against enumeration attacks and other forms of abuse.

      Updated :   DateTime [0..1]

   The time instant the profile was last modified.

      NotaryToken :   String [0..1]

   A Uniform Notary Token providing evidence that a signature was
   performed after the notary token was created.

      Description :   String [0..1]

   Description of the device

      DeviceSignatureKey :   PublicKey [0..1]

   Key used to sign certificates for the DAK and DEK.  The fingerprint
   of the DSK is the UniqueID of the Device Profile

      DeviceAuthenticationKey :   PublicKey [0..1]

   Key used to authenticate requests made by the device.

      DeviceEncryptiontionKey :   PublicKey [0..1]

   Key used to pass encrypted data to the device such as a
   DeviceUseEntry

5.3.13.  Structure: DevicePrivateProfile

   Private portion of device encryption profile.

Hallam-Baker              Expires July 17, 2016                [Page 11]
Internet-Draft            Mathematical Mesh CSP             January 2016

      DeviceSignatureKey :   Key [0..1]

   Private portion of the DeviceSignatureKey

      DeviceAuthenticationKey :   Key [0..1]

   Private portion of the DeviceAuthenticationKey

      DeviceEncryptiontionKey :   Key [0..1]

   Private portion of the DeviceEncryptiontionKey

5.3.14.  Structure: ApplicationProfile

   Parent class from which all application profiles inherit.

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      Names :   String [0..Many]

   Fingerprints of index terms for profile retrieval.  The use of the
   fingerprint of the name rather than the name itself is a precaution
   against enumeration attacks and other forms of abuse.

      Updated :   DateTime [0..1]

   The time instant the profile was last modified.

      NotaryToken :   String [0..1]

   A Uniform Notary Token providing evidence that a signature was
   performed after the notary token was created.

Hallam-Baker              Expires July 17, 2016                [Page 12]
Internet-Draft            Mathematical Mesh CSP             January 2016

      EncryptedData :   JoseWebEncryption [0..1]

   Encrypted application data

5.3.15.  Structure: PasswordProfile

   Stores usernames and passwords

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      Names :   String [0..Many]

   Fingerprints of index terms for profile retrieval.  The use of the
   fingerprint of the name rather than the name itself is a precaution
   against enumeration attacks and other forms of abuse.

      Updated :   DateTime [0..1]

   The time instant the profile was last modified.

      NotaryToken :   String [0..1]

   A Uniform Notary Token providing evidence that a signature was
   performed after the notary token was created.

      EncryptedData :   JoseWebEncryption [0..1]

   Encrypted application data

5.3.16.  Structure: PasswordProfilePrivate

      Entries :   PasswordEntry [0..Many]

Hallam-Baker              Expires July 17, 2016                [Page 13]
Internet-Draft            Mathematical Mesh CSP             January 2016

   [TBS]

5.3.17.  Structure: PasswordEntry

   Username password entry for a single site

      Sites :   String [0..Many]

   DNS name of site *.example.com matches www.example.com etc.

      Username :   String [0..1]

   Case sensitive username

      Password :   String [0..1]

   Case sensitive password.

5.3.18.  Structure: MailProfile

   Public profile describes mail receipt policy.  Private describes
   Sending policy

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      Names :   String [0..Many]

   Fingerprints of index terms for profile retrieval.  The use of the
   fingerprint of the name rather than the name itself is a precaution
   against enumeration attacks and other forms of abuse.

      Updated :   DateTime [0..1]

Hallam-Baker              Expires July 17, 2016                [Page 14]
Internet-Draft            Mathematical Mesh CSP             January 2016

   The time instant the profile was last modified.

      NotaryToken :   String [0..1]

   A Uniform Notary Token providing evidence that a signature was
   performed after the notary token was created.

      EncryptedData :   JoseWebEncryption [0..1]

   Encrypted application data

      EncryptionPGP :   PublicKey [0..1]

   The current OpenPGP encryption key

      EncryptionSMIME :   PublicKey [0..1]

   The current S/MIME encryption key

5.3.19.  Structure: MailProfilePrivate

   Describes a mail account configuration

   Private profile contains connection settings for the inbound and
   outbound mail server(s) and cryptographic private keys.  Public
   profile may contain security policy information for the sender.

      EmailAddress :   String [0..1]

   The RFC822 Email address. [e.g. "alice@example.com"]

      ReplyToAddress :   String [0..1]

   The RFC822 Reply toEmail address. [e.g. "alice@example.com"]

Hallam-Baker              Expires July 17, 2016                [Page 15]
Internet-Draft            Mathematical Mesh CSP             January 2016

   When set, allows a sender to tell the receiver that replies to this
   account should be directed to this address.

      DisplayName :   String [0..1]

   The Display Name. [e.g.  "Alice Example"]

      AccountName :   String [0..1]

   The Account Name for display to the app user [e.g.  "Work Account"]

      Inbound :   Connection [0..Many]

   The Inbound Mail Connection(s).  This is typically IMAP4 or POP3

   If multiple connections are specified, the order in the sequence
   indicates the preference order.

      Outbound :   Connection [0..Many]

   The Outbound Mail Connection(s).  This is typically SMTP/SUBMIT

   If multiple connections are specified, the order in the sequence
   indicates the preference order.

      Sign :   PublicKey [0..Many]

   The public keypair(s) for signing and decrypting email.

   If multiple public keys are specified, the order indicates
   preference.

      Encrypt :   PublicKey [0..Many]

   The public keypairs for encrypting and decrypting email.

Hallam-Baker              Expires July 17, 2016                [Page 16]
Internet-Draft            Mathematical Mesh CSP             January 2016

   If multiple public keys are specified, the order indicates
   preference.

5.3.20.  Structure: NetworkProfile

   Describes the network profile to follow

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      Names :   String [0..Many]

   Fingerprints of index terms for profile retrieval.  The use of the
   fingerprint of the name rather than the name itself is a precaution
   against enumeration attacks and other forms of abuse.

      Updated :   DateTime [0..1]

   The time instant the profile was last modified.

      NotaryToken :   String [0..1]

   A Uniform Notary Token providing evidence that a signature was
   performed after the notary token was created.

      EncryptedData :   JoseWebEncryption [0..1]

   Encrypted application data

5.3.21.  Structure: NetworkProfilePrivate

   Describes the network profile to follow

      Sites :   String [0..Many]

Hallam-Baker              Expires July 17, 2016                [Page 17]
Internet-Draft            Mathematical Mesh CSP             January 2016

   DNS name of sites to which profile applies *.example.com matches
   www.example.com etc.

      DNS :   Connection [0..Many]

   DNS Resolution Services

      Prefix :   String [0..Many]

   DNS prefixes to search

      CTL :   Binary [0..1]

   Certificate Trust List giving WebPKI roots to trust

      WebPKI :   String [0..Many]

   List of UDF fingerprints of keys making up the trust roots to be
   accepted for Web PKI purposes.

5.3.22.  Structure: EscrowEntry

   Contains escrowed data

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      EncryptedData :   JoseWebEncryption [0..1]

   [TBS]

Hallam-Baker              Expires July 17, 2016                [Page 18]
Internet-Draft            Mathematical Mesh CSP             January 2016

5.3.23.  Structure: OfflineEscrowEntry

   Contains data escrowed using the offline escrow mechanism.

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      EncryptedData :   JoseWebEncryption [0..1]

   [TBS]

5.3.24.  Structure: OnlineEscrowEntry

   Contains data escrowed using the online escrow mechanism.

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      EncryptedData :   JoseWebEncryption [0..1]

   [TBS]

5.3.25.  Structure: EscrowedKeySet

   A set of escrowed keys.

      PrivateKeys :   Key [0..Many]

   The escrowed keys.

Hallam-Baker              Expires July 17, 2016                [Page 19]
Internet-Draft            Mathematical Mesh CSP             January 2016

5.3.26.  Structure: Connection

   Describes network connection parameters for an application

      ServiceName :   String [0..1]

   DNS address of the server

      Port :   Integer [0..1]

   TCP/UDP Port number

      Prefix :   String [0..1]

   DNS service prefix as described in [RFC6335]

      Security :   String [0..Many]

   Describes the security mode to use.  Valid choices are
   Direct/Upgrade/None

      UserName :   String [0..1]

   Username to present to the service for authentication

      Password :   String [0..1]

   Password to present to the service for authentication

      URI :   String [0..1]

   Service connection parameters in URI format

Hallam-Baker              Expires July 17, 2016                [Page 20]
Internet-Draft            Mathematical Mesh CSP             January 2016

      Authentication :   String [0..1]

   List of the supported/acceptable authentication mechanisms, preferred
   mechanism first.

      TimeOut :   Integer [0..1]

   Service timeout in seconds.

      Polling :   Boolean [0..1]

   If set, the client should poll the specified service intermittently
   for updates.

5.3.27.  Structure: EncryptedData

   Container for JOSE encrypted data and related attributes.

      Data :   Binary [0..1]

   [TBS]

5.3.28.  Structure: SignedData

   Container for JOSE signed data and related attributes.

      Data :   Binary [0..1]

   [TBS]

5.3.29.  Structure: PublicKey

   Container for public key pair data

      UDF :   String [0..1]

   UDF fingerprint of the key

Hallam-Baker              Expires July 17, 2016                [Page 21]
Internet-Draft            Mathematical Mesh CSP             January 2016

      X509Certificate :   Binary [0..1]

   List of X.509 Certificates

      X509Chain :   Binary [0..Many]

   X.509 Certificate chain.

      X509CSR :   Binary [0..1]

   X.509 Certificate Signing Request.

5.3.30.  Structure: ConnectionRequest

      ParentUDF :   String [0..1]

   [TBS]

      Device :   SignedDeviceProfile [0..1]

   [TBS]

      BlockToken :   String [0..1]

   [TBS]

5.3.31.  Structure: ConnectionResult

      ParentUDF :   String [0..1]

   [TBS]

      Device :   SignedDeviceProfile [0..1]

Hallam-Baker              Expires July 17, 2016                [Page 22]
Internet-Draft            Mathematical Mesh CSP             January 2016

   [TBS]

      BlockToken :   String [0..1]

   [TBS]

      Result :   String [0..1]

   [TBS]

5.3.32.  Structure: SignedConnectionRequest

   Contains a signed connection request

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      SignedData :   JoseWebSignature [0..1]

   The signed profile

5.3.33.  Structure: SignedConnectionResult

   Contains a signed connection request

      Identifier :   String [0..1]

   Globally unique identifier that remains constant for the lifetime of
   the entry.

      SignedData :   JoseWebSignature [0..1]

   The signed profile

Hallam-Baker              Expires July 17, 2016                [Page 23]
Internet-Draft            Mathematical Mesh CSP             January 2016

6.  MeshProtocol

6.1.  MeshProtocol Transactions

6.1.1.  Transaction: Hello

   o

      *  Request: HelloRequest

      *  Response: HelloResponse

   Report service and version information.

   The Hello transaction provides a means of determining which protocol
   versions, message encodings and transport protocols are supported by
   the service.

6.1.2.  Transaction: ValidateAccount

   o

      *  Request: ValidateRequest

      *  Response: ValidateResponse

   Request validation of a proposed name for a new account.

   For validation of a user's account name during profile creation.

6.1.3.  Transaction: CreateAccount

   o

      *  Request: CreateRequest

      *  Response: CreateResponse

   Request creation of a new mesh account.

   Unlike a profile, a mesh account is specific to a particular Mesh
   portal.  A mesh account must be created and accepted before a profile
   can be published.

Hallam-Baker              Expires July 17, 2016                [Page 24]
Internet-Draft            Mathematical Mesh CSP             January 2016

6.1.4.  Transaction: Publish

   o

      *  Request: PublishRequest

      *  Response: PublishResponse

   Publish a profile or key escrow entry to the mesh.

6.1.5.  Transaction: Get

   o

      *  Request: GetRequest

      *  Response: GetResponse

   Search for data in the mesh that matches a set of keys.

6.1.6.  Transaction: GetRecords

   o

      *  Request: GetRequest

      *  Response: GetRecordsResponse

6.1.7.  Transaction: Transfer

   o

      *  Request: TransferRequest

      *  Response: TransferResponse

   Request a bulk transfer of the log between the specified transaction
   identifiers.  Requires appropriate authorization

   [Not currently implemented]

6.1.8.  Transaction: Status

   o

      *  Request: StatusRequest

      *  Response: StatusResponse

Hallam-Baker              Expires July 17, 2016                [Page 25]
Internet-Draft            Mathematical Mesh CSP             January 2016

   Request the current status of the mesh as seen by the portal to which
   it is directed.

   The response to the status request contains the last signed
   checkpoint and proof chains for each of the peer portals that have
   been checkpointed.

   [Not currently implemented]

6.1.9.  Transaction: ConnectStart

   o

      *  Request: ConnectStartRequest

      *  Response: ConnectStartResponse

   Request connection of a new device to a mesh profile

6.1.10.  Transaction: ConnectStatus

   o

      *  Request: ConnectStatusRequest

      *  Response: ConnectStatusResponse

   Request status of pending connection request of a new device to a
   mesh profile

6.1.11.  Transaction: ConnectPending

   o

      *  Request: ConnectPendingRequest

      *  Response: ConnectPendingResponse

   Request status of pending connection request of a new device to a
   mesh profile

6.1.12.  Transaction: ConnectComplete

   o

      *  Request: ConnectCompleteRequest

      *  Response: ConnectCompleteResponse

Hallam-Baker              Expires July 17, 2016                [Page 26]
Internet-Draft            Mathematical Mesh CSP             January 2016

   Request status of pending connection request of a new device to a
   mesh profile

6.2.  MeshProtocol Messages

6.2.1.  Message: MeshRequest

   [None]

6.2.2.  Message: MeshResponse

   [None]

6.2.3.  Message: HelloRequest

   [None]

6.2.4.  Message: HelloResponse

      Version :   Version [0..1]

   Enumerates the protocol versions supported

      Alternates :   Version [0..Many]

   Enumerates alternate protocol version(s) supported

6.2.5.  Message: ValidateRequest

      Account :   String [0..1]

   Account name requested

      Reserve :   Boolean [0..1]

   If true, request a reservation for the specified account name.  Note
   that the service is not obliged to honor reservation requests.

Hallam-Baker              Expires July 17, 2016                [Page 27]
Internet-Draft            Mathematical Mesh CSP             January 2016

      Language :   String [0..Many]

   List of ISO language codes in order of preference.  For creating
   explanatory text.

6.2.6.  Message: ValidateResponse

      Valid :   Boolean [0..1]

   [TBS]

      Minimum :   Integer [0..1]

   [TBS]

      InvalidCharacters :   String [0..1]

   A list of characters from the requested account that the service does
   not accept in account names.

      Reason :   String [0..1]

   Text explaining the reason an account name was rejected.

6.2.7.  Message: CreateRequest

      Account :   String [0..1]

   Account name requested

6.2.8.  Message: CreateResponse

   [None]

Hallam-Baker              Expires July 17, 2016                [Page 28]
Internet-Draft            Mathematical Mesh CSP             January 2016

6.2.9.  Message: PublishRequest

   [None]

6.2.10.  Message: PublishResponse

   [None]

6.2.11.  Message: GetRequest

      Identifier :   String [0..1]

   Lookup by profile ID

      Account :   String [0..1]

   Lookup by Account ID

      KeyValues :   KeyValue [0..Many]

   List of KeyValue pairs specifying the conditions to be met

      NotBefore :   DateTime [0..1]

   [TBS]

      NotOnOrAfter :   DateTime [0..1]

   [TBS]

      Multiple :   Boolean [0..1]

   If true return multiple responses if available

Hallam-Baker              Expires July 17, 2016                [Page 29]
Internet-Draft            Mathematical Mesh CSP             January 2016

6.2.12.  Message: GetResponse

   [None]

6.2.13.  Message: GetRecordsResponse

      DataItems :   DataItem [0..Many]

   List of mesh data records matching the request.

6.2.14.  Message: TransferRequest

      NotBefore :   DateTime [0..1]

      Until :   DateTime [0..1]

      After :   String [0..1]

      MaxEntries :   Integer [0..1]

      MaxBytes :   Integer [0..1]

6.2.15.  Message: TransferResponse

   [None]

6.2.16.  Message: StatusRequest

   [None]

6.2.17.  Message: StatusResponse

      LastWriteTime :   DateTime [0..1]

   Time that the last write update was made to the Mesh

      LastCheckpointTime :   DateTime [0..1]

   Time that the last Mesh checkpoint was calculated.

Hallam-Baker              Expires July 17, 2016                [Page 30]
Internet-Draft            Mathematical Mesh CSP             January 2016

      NextCheckpointTime :   DateTime [0..1]

   Time at which the next Mesh checkpoint should be calculated.

      CheckpointValue :   String [0..1]

   Last checkpoint value.

6.2.18.  Message: ConnectStartRequest

      SignedRequest :   SignedConnectionRequest [0..1]

      AccountID :   String [0..1]

6.2.19.  Message: ConnectStartResponse

      SignedConnectionResult :   String [0..1]

6.2.20.  Message: ConnectStatusRequest

      AccountID :   String [0..1]

      DeviceID :   String [0..1]

6.2.21.  Message: ConnectStatusResponse

      Result :   SignedConnectionResult [0..1]

6.2.22.  Message: ConnectPendingRequest

      AccountID :   String [0..1]

Hallam-Baker              Expires July 17, 2016                [Page 31]
Internet-Draft            Mathematical Mesh CSP             January 2016

6.2.23.  Message: ConnectPendingResponse

      Pending :   SignedConnectionRequest [0..Many]

6.2.24.  Message: ConnectCompleteRequest

      Result :   SignedConnectionResult [0..1]

      AccountID :   String [0..1]

6.2.25.  Message: ConnectCompleteResponse

   [None]

6.3.  MeshProtocol Structures

6.3.1.  Structure: Version

      Major :   Integer [0..1]

   Major version number of the service protocol.  A higher

      Minor :   Integer [0..1]

   Minor version number of the service protocol.

      Encodings :   Encoding [0..Many]

   Enumerates alternative encodings (e.g.  ASN.1, XML, JSON-B) if
   supported by the server

      URI :   String [0..Many]

   The preferred URI for this service.  This MAY be used to effect a
   redirect in the case that a service moves.

Hallam-Baker              Expires July 17, 2016                [Page 32]
Internet-Draft            Mathematical Mesh CSP             January 2016

6.3.2.  Structure: Encoding

      ID :   String [0..Many]

   The IANA encoding name

      Dictionary :   String [0..Many]

   For encodings that employ a named dictionary for tag or data
   compression, the name of the dictionary as defined by that encoding
   scheme.

6.3.3.  Structure: KeyValue

      Key :   String [0..1]

   [TBS]

      Value :   String [0..1]

   [TBS]

7.  Portal

7.1.  Portal Transactions

7.2.  Portal Messages

7.3.  Portal Structures

7.3.1.  Structure: PortalEntry

      Created :   DateTime [0..1]

   Time the pending item was created.

Hallam-Baker              Expires July 17, 2016                [Page 33]
Internet-Draft            Mathematical Mesh CSP             January 2016

      Modified :   DateTime [0..1]

   Time the pending item was last modified.

7.3.2.  Structure: Account

   Entry containing the UniqueID is Account[Name]-[Portal] Indexed by
   [Name], [UserProfileUDF] [Most recent open]

      Created :   DateTime [0..1]

   Time the pending item was created.

      Modified :   DateTime [0..1]

   Time the pending item was last modified.

      AccountID :   String [0..1]

   Assigned account identifier, e.g. 'alice@example.com'.  Account names
   are not case sensitive.

      UserProfileUDF :   String [0..1]

   Fingerprint of associated user profile

      Status :   String [0..1]

   Status of the account, valid values are 'Open', 'Closed', 'Suspended'

7.3.3.  Structure: AccountProfile

      Created :   DateTime [0..1]

   Time the pending item was created.

Hallam-Baker              Expires July 17, 2016                [Page 34]
Internet-Draft            Mathematical Mesh CSP             January 2016

      Modified :   DateTime [0..1]

   Time the pending item was last modified.

      AccountID :   String [0..1]

   Assigned account identifier, e.g. 'alice@example.com'.  Account names
   are not case sensitive.

      UserProfileUDF :   String [0..1]

   Fingerprint of associated user profile

      Status :   String [0..1]

   Status of the account, valid values are 'Open', 'Closed', 'Suspended'

      Profile :   SignedPersonalProfile [0..1]

   [TBS]

7.3.4.  Structure: ConnectionsPending

   Object containing the list of currently pending device connection
   requests for the specified account.  Unique-ID is
   ConnectionsPending-[UserProfileUDF]

      Created :   DateTime [0..1]

   Time the pending item was created.

      Modified :   DateTime [0..1]

   Time the pending item was last modified.

Hallam-Baker              Expires July 17, 2016                [Page 35]
Internet-Draft            Mathematical Mesh CSP             January 2016

      AccountID :   String [0..1]

   Assigned account identifier, e.g. 'alice@example.com'.  Account names
   are not case sensitive.

      UserProfileUDF :   String [0..1]

   Fingerprint of associated user profile

      Status :   String [0..1]

   Status of the account, valid values are 'Open', 'Closed', 'Suspended'

      Requests :   SignedConnectionRequest [0..Many]

   List of pending requests

8.  Security Considerations

   TBS

8.1.  Confidentiality

8.2.  Integrity

8.3.  Service

9.  IANA Considerations

   All the IANA considerations for the Mesh documents are specified in
   this document

10.  Acknowledgements

11.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997.

Hallam-Baker              Expires July 17, 2016                [Page 36]
Internet-Draft            Mathematical Mesh CSP             January 2016

   [RFC6335]  Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
              Cheshire, "Internet Assigned Numbers Authority (IANA)
              Procedures for the Management of the Service Name and
              Transport Protocol Port Number Registry", BCP 165,
              RFC 6335, DOI 10.17487/RFC6335, August 2011.

Author's Address

   Phillip Hallam-Baker
   Comodo Group Inc.

   Email: philliph@comodo.com

Hallam-Baker              Expires July 17, 2016                [Page 37]